cephadm: make /sys/fs/selinux empty

When the following conditions are true:

  1) A host has selinux-policy-targeted,
  2) We mount the host's /sys into a privileged container,
  3) The container has SELINUXTYPE=targeted in /etc/selinux/config,
  4) The container does not have an selinux-policy-targeted package,

then SELinux-enabled applications like restorecon or DNF do not work inside
the container.

Resolve this by making /sys/fs/selinux an empty directory.

Fixes: https://tracker.ceph.com/issues/49239
Signed-off-by: Ken Dreyer <kdreyer@redhat.com>

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 1f3f92b4ebfaec0b5adae406bd83a66eb7842915..76c089b848df88a44563fa3b22a13b332f32de14 100755 (executable)
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -2233,6 +2233,8 @@ def get_container_mounts(ctx, fsid, daemon_type, daemon_id,
         mounts['/run/udev'] = '/run/udev'
     if daemon_type == 'osd':
         mounts['/sys'] = '/sys'  # for numa.cc, pick_address, cgroups, ...
+        # selinux-policy in the container may not match the host.
+        mounts['/usr/share/empty'] = '/sys/fs/selinux:ro'
         mounts['/run/lvm'] = '/run/lvm'
         mounts['/run/lock/lvm'] = '/run/lock/lvm'