1609427 – ceph-volume does not set SELinux context of newly mounted filesystems

Bug 1609427 - ceph-volume does not set SELinux context of newly mounted filesystems

Summary: ceph-volume does not set SELinux context of newly mounted filesystems

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Ceph-Volume
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	3.1
Assignee:	Boris Ranto
QA Contact:	Ramakrishnan Periyasamy
Docs Contact:	Aron Gunn
URL:
Whiteboard:
Depends On:
Blocks:	1584264 1609430
TreeView+	depends on / blocked

Reported:	2018-07-27 22:30 UTC by Boris Ranto
Modified:	2018-10-04 19:29 UTC (History)
CC List:	7 users (show)
Fixed In Version:	RHEL: ceph-12.2.5-37.el7cp Ubuntu: ceph_12.2.5-22redhat1
Doc Type:	Bug Fix
Doc Text:	.The SELinux context is set correctly when using `ceph-volume` for new filesystems The `ceph-volume` utility was not labeling newly created filesystems, which was causing `AVC` denial messages in the `/var/log/audit/audit.log` file. In this release, the `ceph-volume` utility sets the proper SELinux context (`ceph_var_lib_t`), on the OSD filesystem.
Clone Of:
Clones:	1609430 (view as bug list)
Environment:
Last Closed:	2018-09-26 18:23:43 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1618460	0	urgent	CLOSED	restorecon calls break OSD provisioning	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2018:2819	0	None	None	None	2018-09-26 18:24:33 UTC

Internal Links: 1618460

Description Boris Ranto 2018-07-27 22:30:17 UTC

Description of problem:
The ceph-volume utility does not restore the SELinux context of newly mounted filesystems. This will result in an unlabelled or improperly labelled OSDs and a lot of avc denials. As a result, people will need to manually relabel the file-system upon deployment to avoid SELinux denials which can take a lot of time.

Version-Release number of selected component (if applicable):
Any

How reproducible:
Always

Steps to Reproduce:
1. Deploy an OSD with ceph-volume
2. Check the audit.log for avc denials
3. Check the context of the mounted file-systems in /var/lib/ceph/osd/

Actual results:
There are avc denials and the SELinux context is incorrect.

Expected results:
No avc denials, the SELinux context is ceph_var_lib_t.

Additional info:

Comment 6 Ramakrishnan Periyasamy 2018-08-03 03:26:51 UTC

Moving this bug to verified, there is no avc denial messages in /var/log/audit/audit.log

Verified in ceph version 12.2.5-37.el7cp (7bac42c43d4cdcca7d0c4233344f9a3932636341) luminous (stable)

Comment 10 errata-xmlrpc 2018-09-26 18:23:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2819

Note You need to log in before you can comment on or make changes to this bug.