Bug 1379797

Summary: We should label /srv/data as ceph_var_lib_t
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: rhosp-directorAssignee: Angus Thomas <athomas>
Status: CLOSED CURRENTRELEASE QA Contact: Amit Ugol <augol>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0 (Mitaka)CC: dbecker, gfidente, lhh, mburns, mgrepl, morazi, rhallise, rhel-osp-director-maint, smerrow, srevivo
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 9.0 (Mitaka)Flags: rhallise: needinfo-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-17 16:01:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1379751    
Bug Blocks: 1349194    

Description Giulio Fidente 2016-09-27 16:54:44 UTC 
To run Ceph/Hammer with SELinux in enforcing mode in OSPd9 (see BZ 1349194 and BZ 1379751), we need to label the default OSD data directory with the 'ceph_var_lib_t' context.

This is not necessary in OSPd10 because for Ceph/Jewel the puppet module will label correctly any directory given to it to be used as OSD data.

NOTE: 'ceph_var_lib_t' in OSPd9 is only available when the 'ceph-selinux' package is installed.
Comment 1 Ryan Hallisey 2016-09-27 16:57:38 UTC 
This change would need to be a backported patch carried only in osp 9
Comment 2 Ryan Hallisey 2016-10-14 11:07:57 UTC 
I'll need acks to build this
Comment 3 Lon Hohberger 2016-10-19 19:41:42 UTC 
Erm...

So, this forces openstack-selinux to depend on ceph-selinux, since without it, the ceph_var_lib_t would not exist.

Why is this not handled in ceph-selinux ?
Comment 4 Lon Hohberger 2016-10-19 19:44:08 UTC 
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/manual-installation-procedures/chapter-1-introduction

Ceph is not a required component.
Comment 5 Lon Hohberger 2016-10-19 19:47:30 UTC 
So, this needs to be conditional or handled elsewhere.  Depending on types which are included in packages from products which may or may not be present/desired during installation isn't correct, nor is simply ignoring the return value (which results in a non-deterministic state).
Comment 8 Giulio Fidente 2016-10-20 11:53:12 UTC 
(In reply to Lon Hohberger from comment #3)
> Erm...
> 
> So, this forces openstack-selinux to depend on ceph-selinux, since without
> it, the ceph_var_lib_t would not exist.
> 
> Why is this not handled in ceph-selinux ?

because there isn't really a default data directory for an OSD; for OSPd10 the puppet-ceph module is tagging with that label whatever directory is given to it as data directory ... this is possible because ceph-selinux is a *requirement* for Ceph/Jewel

for Ceph/Hammer instead (shipped with OSPd9) it is not, daemons can run in unconfined mode

I am not entirely sure what we want for OSPd9 anymore; the requirement is to not run with SELinux in permissive mode, this should be possible without installing ceph-selinux at all (in which case we won't need to tag the directory either) but Ceph will be unconfined anyway. Maybe that is acceptable. If we want Ceph to be confined, then we need ceph-selinux and we also need to tag appropriately the directory to which OSPd itself defaults for OSDs.
Comment 13 Lon Hohberger 2017-02-17 16:01:16 UTC 
This is fixed in puppet-ceph:

https://github.com/openstack/puppet-ceph/commit/f13493abc38cb13eec94bf203f15ec1d26d7ad28

This should be resolved in OSP10