Fix selinux context for glance-api

Remove the z flag from glance-api's service directory. The service directory does not need to be shared with other containers, and podman fails to apply setting with glance is using NFS (i.e. /var/lib/glance/images is a mount point). Also update the NFS mount options to use svirt_sandbox_file_t, which is consistent with the parent service directory. Closes-Bug: #1834857 Closes-Bug: #1844465 Change-Id: I7e135615fb53815ce14a3bcfec42b28f86d6dbae
2019-09-17 17:24:46 -07:00 · 2019-09-17 17:24:46 -07:00 · aa1f4bf621
parent 9fde6321e0
commit aa1f4bf621
3 changed files with 6 additions and 6 deletions
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@ -110,7 +110,7 @@ parameters:
      Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true)
    type: string
  GlanceNfsOptions:
-    default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0'
+    default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
    description: >
      NFS mount options for image storage (when GlanceNfsEnabled is true)
    type: string
@ -164,7 +164,7 @@ parameters:
      URI that specifies the staging location to use when importing images
    type: string
  GlanceStagingNfsOptions:
-    default: '_netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0'
+    default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
    description: >
      NFS mount options for NFS image import staging
    type: string
@ -514,7 +514,7 @@ outputs:
                  - /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json
                  - /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro
                  - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro
-                  - /var/lib/glance:/var/lib/glance:slave,z
+                  - /var/lib/glance:/var/lib/glance:slave
                -
                  if:
                    - cinder_backend_enabled
--- a/environments/storage-environment.yaml
+++ b/environments/storage-environment.yaml
@ -49,7 +49,7 @@ parameter_defaults:
  ## e.g. "'[fdd0::1]:/export/glance'")
  # GlanceNfsShare: ''
  ## Mount options for the NFS image storage mount point
-  # GlanceNfsOptions: 'intr,context=system_u:object_r:glance_var_lib_t:s0'
+  # GlanceNfsOptions: 'intr,context=system_u:object_r:svirt_sandbox_file_t:s0'


  #### NOVA NFS SETTINGS ####
--- a/environments/storage/glance-nfs.yaml
+++ b/environments/storage/glance-nfs.yaml
@ -19,7 +19,7 @@ parameter_defaults:

  # NFS mount options for image storage (when GlanceNfsEnabled is true)
  # Type: string
-  GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0
+  GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0

  # NFS share to mount for image storage (when GlanceNfsEnabled is true)
  # Type: string
@ -31,7 +31,7 @@ parameter_defaults:

  # NFS mount options for NFS image import staging
  # Type: string
-  GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:glance_var_lib_t:s0
+  GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0

  # NFS share to mount for image import staging
  # Type: string