With NovaNfsEnabled instance create fails due to wrong default selinux context.

With NovaNfsEnabled instance create fails due to wrong default secontext.

parameter_defaults:
    NovaNfsEnabled: True
    NovaNfsShare: '192.168.24.1:/var/nfs'

[root@compute-0 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.14,local_lock=none,addr=192.168.24.1,_netdev)

[root@compute-1 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.16,local_lock=none,addr=192.168.24.1,_netdev)

(overcloud) [stack@undercloud-0 ~]$ openstack server create --flavor m1.small --image cirros --nic net-id=ec392c10-f897-493b-941b-a3f6a0084122 test-nfs
(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID | Name | Status | Task State | Power State | Networks | Image Name | Image ID | Flavor Name | Flavor ID | Availability Zone | Host | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None | Running | private=192.168.0.5 | cirros | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova | compute-1.external.localdomain | |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+

(overcloud) [stack@undercloud-0 ~]$ nova live-migration 22659aca-22ea-4e79-a761-a36e2953da28

(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID | Name | Status | Task State | Power State | Networks | Image Name | Image ID | Flavor Name | Flavor ID | Availability Zone | Host | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None | Running | private=192.168.0.5 | cirros | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova | compute-0.external.localdomain | |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+

The default in THT is set to nova_var_lib_t in [1] while system_u:object_r:nfs_t:s0 should have access. The virt_use_nfs boolean, which is turned on by openstack-selinux, should cover this use case. Granting svirt_t generic access to write over nova_var_lib_t isn't ideal.

We should change the default to be context=system_u:object_r:nova_t:s0 .

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/nova-compute.yaml#L68