selinux: allow nginx to read symbolic links

This is required to support netboot (which is off by default, but
is useful together with the netboot fallback).

Change-Id: I4d7640a24fac9fca2c24bc06fcedff400d74ed8d

playbooks/roles/bifrost-ironic-install/files/ironic_policy.te

@@ -7,13 +7,15 @@ require {
         class file open;
         class file read;
         class file getattr;
+        class lnk_file read;
 }
 
 
 #============= httpd_t ==============
 
-#!!!! This avc can be allowed using the boolean 'daemons_dump_core'
 allow httpd_t root_t:file open;
 allow httpd_t default_t:file open;
 allow httpd_t root_t:file { read getattr };
 allow httpd_t default_t:file { read getattr };
+allow httpd_t root_t:lnk_file read;
+allow httpd_t default_t:lnk_file read;

releasenotes/notes/selinux-lnk_file-527ac51c60f9c2ad.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    On systems with SELinux enforcing, enables nginx to read symbolic links.
+    Fixes network boot of instances.