Running `audit2allow -a` on my Fedora 21/RDO Juno system yields several issues, but this one caught my eye: #!!!! This avc can be allowed using the boolean 'glance_api_can_network' allow glance_api_t keystone_port_t:tcp_socket name_connect; Why is this a boolean? In what scenario would glance *not* need to connect to Keystone? -- Lars Kellogg-Stedman <lars(a)redhat.com&gt; | larsks @ {freenode,twitter,github} Cloud Engineering / OpenStack | http://blog.oddbit.com/