From fb431ccebec81df53f247c0962225c646adee473 Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Tue, 17 Sep 2019 17:24:46 -0700
Subject: [PATCH] Fix selinux context for glance-api

Remove the z flag from glance-api's service directory. The service
directory does not need to be shared with other containers, and
podman fails to apply setting with glance is using NFS (i.e.
/var/lib/glance/images is a mount point).

Also update the NFS mount options to use svirt_sandbox_file_t, which
is consistent with the parent service directory.

Closes-Bug: #1834857
Closes-Bug: #1844465
Change-Id: I7e135615fb53815ce14a3bcfec42b28f86d6dbae
(cherry picked from commit aa1f4bf62156fa5e72b8171702acf3db755a67d8)
---
 deployment/glance/glance-api-container-puppet.yaml | 6 +++---
 environments/storage-environment.yaml              | 2 +-
 environments/storage/glance-nfs.yaml               | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml
index d01cde592d..118275ae91 100644
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@@ -111,7 +111,7 @@ parameters:
       Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true)
     type: string
   GlanceNfsOptions:
-    default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0'
+    default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
     description: >
       NFS mount options for image storage (when GlanceNfsEnabled is true)
     type: string
@@ -165,7 +165,7 @@ parameters:
       URI that specifies the staging location to use when importing images
     type: string
   GlanceStagingNfsOptions:
-    default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0'
+    default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
     description: >
       NFS mount options for NFS image import staging
     type: string
@@ -538,7 +538,7 @@ outputs:
                   - /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json
                   - /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro
                   - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
-                  - /var/lib/glance:/var/lib/glance:slave,z
+                  - /var/lib/glance:/var/lib/glance:slave
                 -
                   if:
                     - cinder_backend_enabled
diff --git a/environments/storage-environment.yaml b/environments/storage-environment.yaml
index 9752e2a426..9ffb890ecb 100644
--- a/environments/storage-environment.yaml
+++ b/environments/storage-environment.yaml
@@ -49,7 +49,7 @@ parameter_defaults:
   ## e.g. "'[fdd0::1]:/export/glance'")
   # GlanceNfsShare: ''
   ## Mount options for the NFS image storage mount point
-  # GlanceNfsOptions: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
+  # GlanceNfsOptions: 'intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
 
 
   #### NOVA NFS SETTINGS ####
diff --git a/environments/storage/glance-nfs.yaml b/environments/storage/glance-nfs.yaml
index e22e27357c..21f5c68eef 100644
--- a/environments/storage/glance-nfs.yaml
+++ b/environments/storage/glance-nfs.yaml
@@ -19,7 +19,7 @@ parameter_defaults:
 
   # NFS mount options for image storage (when GlanceNfsEnabled is true)
   # Type: string
-  GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0
+  GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0
 
   # NFS share to mount for image storage (when GlanceNfsEnabled is true)
   # Type: string
@@ -31,7 +31,7 @@ parameter_defaults:
 
   # NFS mount options for NFS image import staging
   # Type: string
-  GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0
+  GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0
 
   # NFS share to mount for image import staging
   # Type: string