Keystone does not start under WSGI and AVC denials are seen

Solution Unverified - Updated -


  • Keystone does not start under WSGI.
  • The appropriate label does not seem to be applied to the path /etc/keystone/fernet-keys. AVC denials are seen because /etc/keystone/fernet-keys has context unconfined_u:object_r:etc_t:s0.
  • The context of key files are not as expected after Fernet rotation.


  • Red Hat OpenStack Platform.
  • Keystone.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content