Instance create fails due to wrong default secontext with NFS

With NovaNfsEnabled instance create fails due to wrong default secontext. The default in THT is set to nova_var_lib_t in Ie4fe217bd119b638f42c682d21572547f02f17b2 while system_u:object_r:nfs_t:s0 should have access. The virt_use_nfs boolean, which is turned on by openstack-selinux, should cover this use case. This changes the default to context=system_u:object_r:nfs_t:s0 Change-Id: I2a28462b6f6bc9f8a41a81ea8c65471f05df3b85 Closes-Bug: 1781894 (cherry picked from commit 37391bdd73)
2018-07-16 12:05:06 +02:00 · 2018-07-16 12:05:06 +02:00 · 0033569875
parent 2f8bae5bf6
commit 0033569875
4 changed files with 16 additions and 3 deletions
--- a/environments/storage-environment.yaml
+++ b/environments/storage-environment.yaml
@ -59,7 +59,7 @@ parameter_defaults:
  ## e.g. "'[fdd0::1]:/export/nova'")
  # NovaNfsShare: ''
  ## Mount options for the NFS instance file storage mount point
-  # NovaNfsOptions: 'context=system_u:object_r:nova_var_lib_t:s0'
+  # NovaNfsOptions: 'context=system_u:object_r:nfs_t:s0'


  #### CEPH SETTINGS ####
--- a/environments/storage/nova-nfs.yaml
+++ b/environments/storage/nova-nfs.yaml
@ -11,7 +11,7 @@
 parameter_defaults:
  # NFS mount options for nova storage (when NovaNfsEnabled is true)
  # Type: string
-  NovaNfsOptions: context=system_u:object_r:nova_var_lib_t:s0
+  NovaNfsOptions: context=system_u:object_r:nfs_t:s0

  # NFS share to mount for nova storage (when NovaNfsEnabled is true)
  # Type: string
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@ -65,7 +65,7 @@ parameters:
    description: NFS share to mount for nova storage (when NovaNfsEnabled is true)
    type: string
  NovaNfsOptions:
-    default: 'context=system_u:object_r:nova_var_lib_t:s0'
+    default: 'context=system_u:object_r:nfs_t:s0'
    description: NFS mount options for nova storage (when NovaNfsEnabled is true)
    type: string
  CinderEnableRbdBackend:
--- a/releasenotes/notes/nova_nfs_default_secontext-5ad33675aaf0b521.yaml
+++ b/releasenotes/notes/nova_nfs_default_secontext-5ad33675aaf0b521.yaml
@ -0,0 +1,13 @@
+---
+fixes:
+  - |
+   Instance create fails due to wrong default secontext with NFS
+
+   With NovaNfsEnabled instance create fails due to wrong default
+   secontext. The default in THT is set to nova_var_lib_t in
+   Ie4fe217bd119b638f42c682d21572547f02f17b2 while
+   system_u:object_r:nfs_t:s0 should have access. The virt_use_nfs
+   boolean, which is turned on by openstack-selinux, should cover
+   this use case.
+
+   This changes the default to context=system_u:object_r:nfs_t:s0