1333398 – [RH Ceph 2] Do a proper SELinux relabel on rhel 7.3+

Bug 1333398 - [RH Ceph 2] Do a proper SELinux relabel on rhel 7.3+

Summary: [RH Ceph 2] Do a proper SELinux relabel on rhel 7.3+

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Build
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	2.1
Assignee:	Boris Ranto
QA Contact:	Vasu Kulkarni
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-05 12:19 UTC by Boris Ranto
Modified:	2022-02-21 18:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ceph-10.2.1-3.el7cp
Doc Type:	Bug Fix
Doc Text:	.SELinux no longer prevents "ceph-mon" and "ceph-osd" from accessing /var/lock/ and /run/lock/ Due to insufficient SELinux policy rules, SELinux denied the `ceph-mon` and `ceph-osd` daemons to access the files in the `/var/lock/` and `/run/lock/` directories. With this update, SELinux no longer prevents `ceph-mon` and `ceph-osd` from accessing `/var/lock/` and `/run/lock/`.
Clone Of:	1330279
Environment:
Last Closed:	2016-11-22 19:25:50 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1335619	0	unspecified	CLOSED	[RH Ceph 2.0]: ceph-mon/systemd selinux denials during ceph-ansible runs	2022-02-21 18:03:29 UTC
Red Hat Product Errata	RHSA-2016:2815	0	normal	SHIPPED_LIVE	Moderate: Red Hat Ceph Storage security, bug fix, and enhancement update	2017-03-22 02:06:33 UTC

Internal Links: 1335619

Comment 2 Boris Ranto 2016-05-05 12:21:07 UTC

This was cloned so that we would back-port

https://github.com/ceph/ceph/pull/8923

Comment 3 Ken Dreyer (Red Hat) 2016-05-06 15:38:58 UTC

(In reply to Boris Ranto from comment #2)
> This was cloned so that we would back-port
> 
> https://github.com/ceph/ceph/pull/8923

Boris I see that PR was merged to master. Does a cherry-pick need to be merged to jewel as well?

Comment 4 Boris Ranto 2016-05-09 07:17:37 UTC

Nathan cherry-picked it in

https://github.com/ceph/ceph/pull/8938

These should all be headed for 10.2.1 so if we will be rebasing to 10.2.1, we should be good to go. I cloned this BZ because I was not sure whether we will rebase.

Comment 5 Ken Dreyer (Red Hat) 2016-05-10 02:17:26 UTC

The plan is to rebase to 10.2.1. We can make sure we pick up this change at that time.

Comment 6 Ken Dreyer (Red Hat) 2016-05-13 16:49:33 UTC

v10.2.1 was tagged today and it looks like that PR did not make it in. We will take the PR's changes in the downstream RHCS packaging in the meantime.

Comment 10 Harish NV Rao 2016-06-13 11:18:33 UTC

QA ack already given.

Comment 11 Vasu Kulkarni 2016-07-08 18:12:32 UTC

Dont have 7.3 yet to test this, will be on hold.

Comment 14 John Poelstra 2016-08-03 21:53:36 UTC

Moving to modified so it can be attached to future errata advisory

Comment 20 Vasu Kulkarni 2016-11-03 00:23:11 UTC

Verified with Automated runs.

Comment 22 errata-xmlrpc 2016-11-22 19:25:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2815.html

Note You need to log in before you can comment on or make changes to this bug.