1379797 – We should label /srv/data as ceph_var_lib_t

Bug 1379797 - We should label /srv/data as ceph_var_lib_t

Summary: We should label /srv/data as ceph_var_lib_t

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	9.0 (Mitaka)
Assignee:	Angus Thomas
QA Contact:	Amit Ugol
Docs Contact:
URL:
Whiteboard:
Depends On:	1379751
Blocks:	1349194
TreeView+	depends on / blocked

Reported:	2016-09-27 16:54 UTC by Giulio Fidente
Modified:	2017-02-17 16:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-17 16:01:16 UTC
Target Upstream Version:
Embargoed:
Flags:	rhallise: needinfo-

Attachments	(Terms of Use)

Description Giulio Fidente 2016-09-27 16:54:44 UTC

To run Ceph/Hammer with SELinux in enforcing mode in OSPd9 (see BZ 1349194 and BZ 1379751), we need to label the default OSD data directory with the 'ceph_var_lib_t' context.

This is not necessary in OSPd10 because for Ceph/Jewel the puppet module will label correctly any directory given to it to be used as OSD data.

NOTE: 'ceph_var_lib_t' in OSPd9 is only available when the 'ceph-selinux' package is installed.

Comment 1 Ryan Hallisey 2016-09-27 16:57:38 UTC

This change would need to be a backported patch carried only in osp 9

Comment 2 Ryan Hallisey 2016-10-14 11:07:57 UTC

I'll need acks to build this

Comment 3 Lon Hohberger 2016-10-19 19:41:42 UTC

Erm...

So, this forces openstack-selinux to depend on ceph-selinux, since without it, the ceph_var_lib_t would not exist.

Why is this not handled in ceph-selinux ?

Comment 4 Lon Hohberger 2016-10-19 19:44:08 UTC

https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/manual-installation-procedures/chapter-1-introduction

Ceph is not a required component.

Comment 5 Lon Hohberger 2016-10-19 19:47:30 UTC

So, this needs to be conditional or handled elsewhere.  Depending on types which are included in packages from products which may or may not be present/desired during installation isn't correct, nor is simply ignoring the return value (which results in a non-deterministic state).

Comment 8 Giulio Fidente 2016-10-20 11:53:12 UTC

(In reply to Lon Hohberger from comment #3)
> Erm...
> 
> So, this forces openstack-selinux to depend on ceph-selinux, since without
> it, the ceph_var_lib_t would not exist.
> 
> Why is this not handled in ceph-selinux ?

because there isn't really a default data directory for an OSD; for OSPd10 the puppet-ceph module is tagging with that label whatever directory is given to it as data directory ... this is possible because ceph-selinux is a *requirement* for Ceph/Jewel

for Ceph/Hammer instead (shipped with OSPd9) it is not, daemons can run in unconfined mode

I am not entirely sure what we want for OSPd9 anymore; the requirement is to not run with SELinux in permissive mode, this should be possible without installing ceph-selinux at all (in which case we won't need to tag the directory either) but Ceph will be unconfined anyway. Maybe that is acceptable. If we want Ceph to be confined, then we need ceph-selinux and we also need to tag appropriately the directory to which OSPd itself defaults for OSDs.

Comment 13 Lon Hohberger 2017-02-17 16:01:16 UTC

This is fixed in puppet-ceph:

https://github.com/openstack/puppet-ceph/commit/f13493abc38cb13eec94bf203f15ec1d26d7ad28

This should be resolved in OSP10

Note You need to log in before you can comment on or make changes to this bug.