1241422 – SElinux is set as Enforcing in the Ceph OSD nodes

Bug 1241422 - SElinux is set as Enforcing in the Ceph OSD nodes

Summary: SElinux is set as Enforcing in the Ceph OSD nodes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	Director
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	Director
Assignee:	Jiri Stransky
QA Contact:	Yogev Rabl
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-09 08:20 UTC by Yogev Rabl
Modified:	2015-08-05 13:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-0.8.6-37.el7ost
Doc Type:	Bug Fix
Doc Text:	SELinux was set to enforcing mode on Ceph OSD nodes. However, according to official Ceph documentation, SELinux should be set to permissive mode on Ceph OSD nodes. This fix sets SELinux to permissive on Ceph OSD nodes.
Clone Of:
Environment:
Last Closed:	2015-08-05 13:58:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	201259	0	None	MERGED	Ensure SELinux is permissive on Ceph OSDs	2020-04-15 14:58:32 UTC
Red Hat Product Errata	RHEA-2015:1549	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform director Release	2015-08-05 17:49:10 UTC

Description Yogev Rabl 2015-07-09 08:20:41 UTC

Description of problem:
Red Hat's official Ceph 1.2.3 and 1.3 installation documentation guides us to set SElinux to permissive mode. 

The implications are not known and actions of the storage might be blocked by SElinux

Version-Release number of selected component (if applicable):
openstack-tripleo-image-elements-0.9.6-5.el7ost.noarch
openstack-heat-templates-0-0.6.20150605git.el7ost.noarch
openstack-tripleo-heat-templates-0.8.6-23.el7ost.noarch
openstack-tripleo-0.0.7-0.1.1664e566.el7ost.noarch
openstack-tripleo-puppet-elements-0.0.1-3.el7ost.noarch


How reproducible:
100%

Steps to Reproduce:
1. Install Ceph OSD and monitors with OSP Director
2. check SElinux mode 
# getenforce


Actual results:
SElinux is in Enforcing mode

Expected results:
SElinux should be in permissive mode

Additional info:

Comment 3 chris alfonso 2015-07-13 13:07:45 UTC

Jiri, Please update this with the latest status.

Comment 4 Mike Burns 2015-07-13 13:08:31 UTC

This only impacts OSD nodes, not monitor nodes.

Comment 5 Jiri Stransky 2015-07-13 17:22:20 UTC

WIP patch submitted but needs proper testing to be considered working (not moving to ON_DEV yet). https://review.openstack.org/201259

Comment 6 Jiri Stransky 2015-07-14 10:58:11 UTC

Submitted a backport and tested deployment with a Ceph node:

[root@overcloud-cephstorage-0 ~]# cat /etc/selinux/config | grep '^SELINUX='
SELINUX=permissive
[root@overcloud-cephstorage-0 ~]# getenforce 
Permissive

Comment 8 Omri Hochman 2015-07-22 14:45:00 UTC

Verified with openstack-tripleo-heat-templates-0.8.6-44.el7ost.noarch : 

[stack@rhos-compute-node-18 ~]$ nova list
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
| ID                                   | Name                    | Status | Task State | Power State | Networks              |
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
| 02a0e351-0b6d-4f3c-b589-926d4a9b3eea | overcloud-cephstorage-0 | ACTIVE | -          | Running     | ctlplane=192.168.0.19 |
| 18cf391e-7afb-4b55-a5dc-06b75cfb4876 | overcloud-compute-0     | ACTIVE | -          | Running     | ctlplane=192.168.0.20 |
| a847401a-a030-4266-aca2-e8d1cf2889b6 | overcloud-controller-0  | ACTIVE | -          | Running     | ctlplane=192.168.0.21 |
| 08f04db2-4eeb-4dac-a2ba-4a120c9d2140 | overcloud-controller-1  | ACTIVE | -          | Running     | ctlplane=192.168.0.22 |
| c52d985e-7e06-4952-a572-fee4349fd922 | overcloud-controller-2  | ACTIVE | -          | Running     | ctlplane=192.168.0.23 |
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
[stack@rhos-compute-node-18 ~]$ ssh heat-admin.0.19
Last login: Tue Jul 21 08:32:54 2015 from 192.168.0.1
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ getenforce
Permissive

Comment 10 errata-xmlrpc 2015-08-05 13:58:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549

Note You need to log in before you can comment on or make changes to this bug.