Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1609427

Summary: ceph-volume does not set SELinux context of newly mounted filesystems
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Boris Ranto <branto>
Component: Ceph-VolumeAssignee: Boris Ranto <branto>
Status: CLOSED ERRATA QA Contact: Ramakrishnan Periyasamy <rperiyas>
Severity: urgent Docs Contact: Aron Gunn <agunn>
Priority: urgent    
Version: 3.0CC: agunn, branto, ceph-eng-bugs, ceph-qe-bugs, hnallurv, shmohan, tserlin
Target Milestone: rc   
Target Release: 3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-12.2.5-37.el7cp Ubuntu: ceph_12.2.5-22redhat1 Doc Type: Bug Fix
Doc Text:
.The SELinux context is set correctly when using `ceph-volume` for new filesystems The `ceph-volume` utility was not labeling newly created filesystems, which was causing `AVC` denial messages in the `/var/log/audit/audit.log` file. In this release, the `ceph-volume` utility sets the proper SELinux context (`ceph_var_lib_t`), on the OSD filesystem.
 Story Points: ---
Clone Of:
: 1609430 (view as bug list) Environment:
Last Closed: 2018-09-26 18:23:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1584264, 1609430    

Description Boris Ranto 2018-07-27 22:30:17 UTC 
Description of problem:
The ceph-volume utility does not restore the SELinux context of newly mounted filesystems. This will result in an unlabelled or improperly labelled OSDs and a lot of avc denials. As a result, people will need to manually relabel the file-system upon deployment to avoid SELinux denials which can take a lot of time.

Version-Release number of selected component (if applicable):
Any

How reproducible:
Always

Steps to Reproduce:
1. Deploy an OSD with ceph-volume
2. Check the audit.log for avc denials
3. Check the context of the mounted file-systems in /var/lib/ceph/osd/

Actual results:
There are avc denials and the SELinux context is incorrect.

Expected results:
No avc denials, the SELinux context is ceph_var_lib_t.

Additional info:
Comment 6 Ramakrishnan Periyasamy 2018-08-03 03:26:51 UTC 
Moving this bug to verified, there is no avc denial messages in /var/log/audit/audit.log

Verified in ceph version 12.2.5-37.el7cp (7bac42c43d4cdcca7d0c4233344f9a3932636341) luminous (stable)
Comment 10 errata-xmlrpc 2018-09-26 18:23:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2819