Workarounds to skip SELinux relabelling in Openshift Data Foundation / Openshift Container Storage

Solution Verified - Updated 1 Jan 2026

Environment

Red Hat OpenShift Container Platform (OCP) 4.x
Red Hat OpenShift Container Storage (OCS) 4.x
Red Hat OpenShift Data Foundation (ODF) 4.x

Issue

NOTE: Automatic SELinux skip recursive relabeling is a feature that will be native to OCP v4.21.

Openshift namespaces are by default, configured to have different Multi-Category Security (MCS ) SELinux settings. A simple way to review this security context is by inspecting a namespace yaml:
```
   oc get project mds-test -o yaml | grep scc.mcs
      openshift.io/sa.scc.mcs: s0:c25,c20
            f:openshift.io/sa.scc.mcs: {}
```
This SELinux context is inherited by all the pods running inside these namespaces. Because of this feature, all the files inside PVs bound to these pods need to be relabeled accordingly to ensure the SELinux context matches the security specs in the pods.
When the number of files in these PVs grows largely (thousands/millions of objects), the pods get stuck in ContainerCreating or init status.

Resolution

NOTE: This solution will ONLY cover new volume mitigation. New volume mitigation creates a storageclass to address any future volumes that will be created using CephFS. If the volumes have already been provisioned, please execute the When using Persistent Volumes with high file counts in OpenShift, why do pods fail to start or take an excessive amount of time to achieve "Ready" state? solution to reconcile this issue. If assistance is needed to execute the referenced solution, please open a Red Hat Support case with the platform team (OCP/Shift).

New Volume Mitigation:

Note: The sample yaml below has the kernelMountOptions: context="system_u:object_r:container_file_t:s0" defined. This is a universal option that will work for any namespace inheriting the already defined context in that namespace.

Create an additional storage class, with the security context set to the required values, using the variable kernelMountOptions. Sample yaml:

  apiVersion: storage.k8s.io/v1
  kind: StorageClass
  metadata:
    name: ocs-storagecluster-cephfs-selinux-relabel
  provisioner: openshift-storage.cephfs.csi.ceph.com
  parameters:
    clusterID: openshift-storage
    csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
    csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage
    csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
    csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage
    csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
    csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage
    fsName: ocs-storagecluster-cephfilesystem
    kernelMountOptions: context="system_u:object_r:container_file_t:s0"
  reclaimPolicy: Delete
  volumeBindingMode: Immediate
  allowVolumeExpansion: true

SBR

Product(s)

Components

storage

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.