From: Sage Weil <sage@redhat.com>
Date: Fri, 1 Nov 2019 16:01:42 +0000 (-0500)
Subject: ceph-daemon: do not relabel system directories
X-Git-Tag: v15.1.0~1035^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0444025aaf559a662882abc49465b5e31a66280d;p=ceph.git

ceph-daemon: do not relabel system directories

These are shared system directories and should not be relabled for use by
ceph containers.  (Also, trying to relabel /dev prevents the container
from starting, e.g.

# /bin/podman run -it --net=host  --privileged    -v /dev:/dev:z    --entrypoint bash centos
Error: relabel failed "/dev": SELinux relabeling of /dev is not allowed

)

Fixes: https://tracker.ceph.com/issues/42511
Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/ceph-daemon b/src/ceph-daemon
index 71cd85f9547b..523e2980cc68 100755
--- a/src/ceph-daemon
+++ b/src/ceph-daemon
@@ -378,12 +378,12 @@ def get_container_mounts(fsid, daemon_type, daemon_id):
         mounts[data_dir + '/config'] = '/etc/ceph/ceph.conf:z'
 
     if daemon_type in ['mon', 'osd']:
-        mounts['/dev'] = '/dev:z'  # FIXME: narrow this down?
-        mounts['/run/udev'] = '/run/udev:z'
+        mounts['/dev'] = '/dev'  # FIXME: narrow this down?
+        mounts['/run/udev'] = '/run/udev'
     if daemon_type == 'osd':
-        mounts['/sys'] = '/sys:z'  # for numa.cc, pick_address, cgroups, ...
-        mounts['/run/lvm'] = '/run/lvm:z'
-        mounts['/run/lock/lvm'] = '/run/lock/lvm:z'
+        mounts['/sys'] = '/sys'  # for numa.cc, pick_address, cgroups, ...
+        mounts['/run/lvm'] = '/run/lvm'
+        mounts['/run/lock/lvm'] = '/run/lock/lvm'
 
     return mounts