Bug 1823764

Summary: RFE: Enable genfs+xattr labeling for CephFS
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Mosnacek <omosnace>
Component: kernelAssignee: Ondrej Mosnacek <omosnace>
kernel sub component: SELinux QA Contact: Milos Malik <mmalik>
Status: CLOSED ERRATA Docs Contact: Jan Fiala <jafiala>
Severity: low    
Priority: medium CC: dyocum, jafiala, jlayton, lmanasko, pasik
Version: 8.2Keywords: AutoVerified, FutureFeature, Triaged
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-4.18.0-198.el8 Doc Type: Enhancement
Doc Text:
.Individual CephFS files and directories can now have SELinux labels The Ceph File System (CephFS) has recently enabled storing SELinux labels in the extended attributes of files. Previously, all files in a CephFS volume were labeled with a single common label `system_u:object_r:cephfs_t:s0`. With this enhancement, you can change the labels for individual files, and SELinux defines the labels of newly created files based on transition rules. Note that previously unlabeled files still have the `system_u:object_r:cephfs_t:s0` label until explicitly changed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:14:08 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1814668, 1865800    
Bug Blocks: 1814689    

Description Ondrej Mosnacek 2020-04-14 12:53:51 UTC 
As discussed in BZ 1814689, we want to enable CephFS to use xattr for storing labels, but at the same time keep cephfs_t as default label for files without a label (for backwards compatibility).

To enable this, we need to make small RHEL-only changes to the kernel and selinux-policy. This BZ tracks the kernel part - to add "ceph" to the list of filesystems for which combined genfs + xattrs labeling is used. The policy part is tracked in BZ 1814689.
Comment 6 Frantisek Hrbata 2020-05-13 07:44:45 UTC 
Patch(es) available on kernel-4.18.0-198.el8
Comment 24 errata-xmlrpc 2020-11-04 01:14:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4431
Comment 25 Dan Yocum 2021-08-26 17:55:16 UTC 
What version of OCP did this RHSA make it into?