From: John Mulligan <jmulligan@redhat.com>
Date: Tue, 11 Mar 2025 18:51:23 +0000 (-0400)
Subject: qa/cephadm/smb: set virt_sandbox_use_netlink selinux bool on ctdb tests
X-Git-Tag: v20.3.0~268^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=06fc55b0a4d994550f05625f10d8f7f0b11863eb;p=ceph.git

qa/cephadm/smb: set virt_sandbox_use_netlink selinux bool on ctdb tests

Try to use the virt_sandbox_use_netlink selinux boolean to avoid getting
selinux AVC errors in smb tests using ctdb. Some tests run ctdb with
public addresses and the scripts that ctdb uses to manage those IPs
calls ss which uses netlink which can cause selinux denials.
Attempt to work around that problem by using a selinux boolean
documented in `container_selinux(8)`.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
---

diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml
index 0d862b2c5f9..e05869d93e3 100644
--- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml
+++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml
@@ -24,6 +24,9 @@ overrides:
 tasks:
 - cephadm.configure_samba_client_container:
     role: host.d
+- pexec:
+    all:
+      - setsebool -P virt_sandbox_use_netlink 1 || true
 - cephadm:
 
 - cephadm.shell:
diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml
index 3bbf30ea427..45ed41e8212 100644
--- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml
+++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml
@@ -26,6 +26,9 @@ tasks:
     role: host.d
 - vip:
     count: 1
+- pexec:
+    all:
+      - setsebool -P virt_sandbox_use_netlink 1 || true
 - cephadm:
 
 - cephadm.shell:
diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml
index b9b0ec0d6f1..aab74b1692b 100644
--- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml
+++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml
@@ -24,6 +24,9 @@ overrides:
 tasks:
 - cephadm.configure_samba_client_container:
     role: host.d
+- pexec:
+    all:
+      - setsebool -P virt_sandbox_use_netlink 1 || true
 - cephadm:
 
 - cephadm.shell:
diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml
index b74593058e2..20a10a7cbc0 100644
--- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml
+++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml
@@ -24,6 +24,9 @@ overrides:
 tasks:
 - cephadm.deploy_samba_ad_dc:
     role: host.d
+- pexec:
+    all:
+      - setsebool -P virt_sandbox_use_netlink 1 || true
 - cephadm:
 
 - cephadm.shell:
diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml
index 0aa55a53a3d..4f3bcb0a735 100644
--- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml
+++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml
@@ -26,6 +26,9 @@ tasks:
     role: host.d
 - vip:
     count: 2
+- pexec:
+    all:
+      - setsebool -P virt_sandbox_use_netlink 1 || true
 - cephadm:
 
 - cephadm.shell: