From 2b908ed8cfeafc84d098600ae8a06170a5a3fb7b Mon Sep 17 00:00:00 2001
From: Deepak C Shetty <deepakcs@redhat.com>
Date: Fri, 11 Mar 2016 09:25:25 +0000
Subject: [PATCH] ceph-osd: Set selinux to permissive

Currently we don't yet support runnings OSDs w/ selinux in
enforcing mode. Thus its better to ensure that ceph-ansible
explicitly makes selinux permissive. This should help in
scenarios such as hyperconverged where OSDs are colocated
with VMs on compute nodes which needs selinux enforcing, but
OSDs don't.

Signed-off-by: Deepak C Shetty <deepakcs@redhat.com>
---
 roles/ceph-osd/tasks/activate_osds.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/ceph-osd/tasks/activate_osds.yml b/roles/ceph-osd/tasks/activate_osds.yml
index 956c0cc5b..b9b7c1f02 100644
--- a/roles/ceph-osd/tasks/activate_osds.yml
+++ b/roles/ceph-osd/tasks/activate_osds.yml
@@ -41,6 +41,16 @@
 - include: osd_fragment.yml
   when: crush_location
 
+- name: set selinux to permissive and make it persistent
+  selinux:
+    policy: targeted
+    state: permissive
+  when:
+    ansible_selinux != false and
+    ansible_selinux['status'] == 'enabled' and
+    ansible_selinux['config_mode'] != 'disabled' and
+    not is_ceph_infernalis
+
 - name: start and add that the osd service(s) to the init sequence (before infernalis)
   service:
     name: ceph