mgr/cephadm: Restore client file(s) default SELinux context type

When cephadm writes client files to hosts, the new files are created in
/tmp/cephadm-<fsid> and then moved to their target directory. This makes
the client files receive the usr_tmp_t context, which is different then
their original context.
mv -Z will set the SELinux security context type of the target file
based on the SELinux policy rules for the target directory.

Fixes: https://tracker.ceph.com/issues/69395
Signed-off-by: zaken <yonatan.zaken.ext@nokia.com>

diff --git a/src/pybind/mgr/cephadm/ssh.py b/src/pybind/mgr/cephadm/ssh.py
index 1622cb001abaa1fc93a57291a1175d5495841fbe..acb5a77c51b9ed60865d631370c1ca303dd7d27a 100644 (file)
--- a/src/pybind/mgr/cephadm/ssh.py
+++ b/src/pybind/mgr/cephadm/ssh.py
@@ -358,7 +358,7 @@ class SSHManager:
                 await self._check_execute_command(host, chown, addr=addr)
                 chmod = RemoteCommand(Executables.CHMOD, [oct(mode)[2:], tmp_path])
                 await self._check_execute_command(host, chmod, addr=addr)
-            mv = RemoteCommand(Executables.MV, [tmp_path, path])
+            mv = RemoteCommand(Executables.MV, ['-Z', tmp_path, path])
             await self._check_execute_command(host, mv, addr=addr)
         except Exception as e:
             msg = f"Unable to write {host}:{path}: {e}"