From 9264a868fd8ad2b61ce1b38957c30521ae17a1c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Wed, 21 Oct 2015 12:02:50 +0200 Subject: [PATCH] Add proper permission for selinux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sébastien Han --- roles/ceph-mds/tasks/docker/main.yml | 3 +++ roles/ceph-mds/tasks/docker/selinux.yml | 13 +++++++++++++ roles/ceph-mon/tasks/docker/main.yml | 3 +++ roles/ceph-mon/tasks/docker/selinux.yml | 13 +++++++++++++ roles/ceph-osd/tasks/docker/main.yml | 3 +++ roles/ceph-osd/tasks/docker/selinux.yml | 13 +++++++++++++ roles/ceph-rgw/tasks/docker/main.yml | 3 +++ roles/ceph-rgw/tasks/docker/selinux.yml | 13 +++++++++++++ 8 files changed, 64 insertions(+) create mode 100644 roles/ceph-mds/tasks/docker/selinux.yml create mode 100644 roles/ceph-mon/tasks/docker/selinux.yml create mode 100644 roles/ceph-osd/tasks/docker/selinux.yml create mode 100644 roles/ceph-rgw/tasks/docker/selinux.yml diff --git a/roles/ceph-mds/tasks/docker/main.yml b/roles/ceph-mds/tasks/docker/main.yml index fe9ca1d53..1c92d4845 100644 --- a/roles/ceph-mds/tasks/docker/main.yml +++ b/roles/ceph-mds/tasks/docker/main.yml @@ -9,5 +9,8 @@ when: ceph_health.rc != 0 - include: pre_requisite.yml +- include: selinux.yml + when: ansible_os_family == 'RedHat' + - include: fetch_configs.yml - include: start_docker_mds.yml diff --git a/roles/ceph-mds/tasks/docker/selinux.yml b/roles/ceph-mds/tasks/docker/selinux.yml new file mode 100644 index 000000000..3630824d7 --- /dev/null +++ b/roles/ceph-mds/tasks/docker/selinux.yml @@ -0,0 +1,13 @@ +--- +- name: check if selinux is enabled + command: getenforce + register: sestatus + changed_when: false + +- name: set selinux permissions + shell: chcon -Rt svirt_sandbox_file_t {{ item }} + with_items: + - /etc/ceph + - /var/lib/ceph + changed_when: false + when: sestatus.stdout != 'Disabled' diff --git a/roles/ceph-mon/tasks/docker/main.yml b/roles/ceph-mon/tasks/docker/main.yml index d59291b15..22489ff99 100644 --- a/roles/ceph-mon/tasks/docker/main.yml +++ b/roles/ceph-mon/tasks/docker/main.yml @@ -9,6 +9,9 @@ when: ceph_health.rc != 0 - include: pre_requisite.yml +- include: selinux.yml + when: ansible_os_family == 'RedHat' + - include: fetch_configs.yml - include: start_docker_monitor.yml - include: copy_configs.yml diff --git a/roles/ceph-mon/tasks/docker/selinux.yml b/roles/ceph-mon/tasks/docker/selinux.yml new file mode 100644 index 000000000..3630824d7 --- /dev/null +++ b/roles/ceph-mon/tasks/docker/selinux.yml @@ -0,0 +1,13 @@ +--- +- name: check if selinux is enabled + command: getenforce + register: sestatus + changed_when: false + +- name: set selinux permissions + shell: chcon -Rt svirt_sandbox_file_t {{ item }} + with_items: + - /etc/ceph + - /var/lib/ceph + changed_when: false + when: sestatus.stdout != 'Disabled' diff --git a/roles/ceph-osd/tasks/docker/main.yml b/roles/ceph-osd/tasks/docker/main.yml index 956ac924e..b0a2a27fd 100644 --- a/roles/ceph-osd/tasks/docker/main.yml +++ b/roles/ceph-osd/tasks/docker/main.yml @@ -9,5 +9,8 @@ when: ceph_health.rc != 0 - include: pre_requisite.yml +- include: selinux.yml + when: ansible_os_family == 'RedHat' + - include: fetch_configs.yml - include: start_docker_osd.yml diff --git a/roles/ceph-osd/tasks/docker/selinux.yml b/roles/ceph-osd/tasks/docker/selinux.yml new file mode 100644 index 000000000..3630824d7 --- /dev/null +++ b/roles/ceph-osd/tasks/docker/selinux.yml @@ -0,0 +1,13 @@ +--- +- name: check if selinux is enabled + command: getenforce + register: sestatus + changed_when: false + +- name: set selinux permissions + shell: chcon -Rt svirt_sandbox_file_t {{ item }} + with_items: + - /etc/ceph + - /var/lib/ceph + changed_when: false + when: sestatus.stdout != 'Disabled' diff --git a/roles/ceph-rgw/tasks/docker/main.yml b/roles/ceph-rgw/tasks/docker/main.yml index 48ef901b9..ffd5db2e6 100644 --- a/roles/ceph-rgw/tasks/docker/main.yml +++ b/roles/ceph-rgw/tasks/docker/main.yml @@ -9,5 +9,8 @@ when: ceph_health.rc != 0 - include: pre_requisite.yml +- include: selinux.yml + when: ansible_os_family == 'RedHat' + - include: fetch_configs.yml - include: start_docker_rgw.yml diff --git a/roles/ceph-rgw/tasks/docker/selinux.yml b/roles/ceph-rgw/tasks/docker/selinux.yml new file mode 100644 index 000000000..3630824d7 --- /dev/null +++ b/roles/ceph-rgw/tasks/docker/selinux.yml @@ -0,0 +1,13 @@ +--- +- name: check if selinux is enabled + command: getenforce + register: sestatus + changed_when: false + +- name: set selinux permissions + shell: chcon -Rt svirt_sandbox_file_t {{ item }} + with_items: + - /etc/ceph + - /var/lib/ceph + changed_when: false + when: sestatus.stdout != 'Disabled'