SELinux logs denials such as the following from the ip command (pid 3316) being executed by quantum-dhcp-agent (pid 2604) :
type=AVC msg=audit(1361296820.873:123253): avc: denied { read write } for pid=3316 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3654 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1361296820.873:123253): arch=c000003e syscall=59 success=yes exit=0 a0=14507d0 a1=127aaa0 a2=108b9b0 a3=0 items=0 ppid=2604 pid=3316 auid=4294967295 uid=164 gid=164 euid=164 suid=164 fsuid=164 egid=164 sgid=164 fsgid=164 tty=(none) ses=4294967295 comm="ip" exe="/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
In this case, it seems a file descriptor opened by eventlet does not have FD_CLOEXEC set, so its left open and ip tries to access it, which is blocked by SELinux. This particular denial is harmless, other than polluting audit.log, but file descriptors other than stdin, stdout and stderr should be closed when sub-processes are executed.
The nova.utils.execute() implementation addresses this by passing close_fds=True to subprocess.Popen(). Quantum should do the same in quantum.common.utils.subprocess_popen() on master and in quantum.agent.linux.execute() on stable/folsom.
Doesn't sound like a blocker for G-3, so moving to G-rc1