Bug 1609427 – ceph-volume does not set SELinux context of newly mounted filesystems

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1609427 - ceph-volume does not set SELinux context of newly mounted filesystems

Summary:	ceph-volume does not set SELinux context of newly mounted filesystems

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Ceph Storage
Classification:	Red Hat
Component:	Ceph-Volume (Show other bugs)
Sub Component:
Version:	3.0
Hardware:	Unspecified Unspecified

Priority	urgent Severity urgent
Target Milestone:	rc
Target Release:	3.1
Assigned To:	Boris Ranto
QA Contact:	Ramakrishnan Periyasamy
Docs Contact:	Aron Gunn

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1584264 1609430
	Show dependency tree / graph

Reported:	2018-07-27 18:30 EDT by Boris Ranto
Modified:	2018-10-04 15:29 EDT (History)
CC List:	7 users (show)

See Also:	1618460
Fixed In Version:	RHEL: ceph-12.2.5-37.el7cp Ubuntu: ceph_12.2.5-22redhat1
Doc Type:	Bug Fix
Doc Text:	.The SELinux context is set correctly when using `ceph-volume` for new filesystems The `ceph-volume` utility was not labeling newly created filesystems, which was causing `AVC` denial messages in the `/var/log/audit/audit.log` file. In this release, the `ceph-volume` utility sets the proper SELinux context (`ceph_var_lib_t`), on the OSD filesystem.
Story Points:	---
Clone Of:
Clones:	1609430 (view as bug list)
Environment:
Last Closed:	2018-09-26 14:23:43 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2819	None	None	None	2018-09-26 14:24 EDT

Groups: None (edit)

Description Boris Ranto 2018-07-27 18:30:17 EDT

Description of problem:
The ceph-volume utility does not restore the SELinux context of newly mounted filesystems. This will result in an unlabelled or improperly labelled OSDs and a lot of avc denials. As a result, people will need to manually relabel the file-system upon deployment to avoid SELinux denials which can take a lot of time.

Version-Release number of selected component (if applicable):
Any

How reproducible:
Always

Steps to Reproduce:
1. Deploy an OSD with ceph-volume
2. Check the audit.log for avc denials
3. Check the context of the mounted file-systems in /var/lib/ceph/osd/

Actual results:
There are avc denials and the SELinux context is incorrect.

Expected results:
No avc denials, the SELinux context is ceph_var_lib_t.

Additional info:

Comment 6 Ramakrishnan Periyasamy 2018-08-02 23:26:51 EDT

Moving this bug to verified, there is no avc denial messages in /var/log/audit/audit.log

Verified in ceph version 12.2.5-37.el7cp (7bac42c43d4cdcca7d0c4233344f9a3932636341) luminous (stable)

Comment 10 errata-xmlrpc 2018-09-26 14:23:43 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2819

Note You need to log in before you can comment on or make changes to this bug.