From: Ken Dreyer <kdreyer@redhat.com>
Date: Wed, 10 Feb 2021 15:08:51 +0000 (-0700)
Subject: cephadm: make /sys/fs/selinux empty
X-Git-Tag: v16.2.0~179^2~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=80c59e6f26a71f6ceaa6294bd745a6fba016ce77;p=ceph.git

cephadm: make /sys/fs/selinux empty

When the following conditions are true:

  1) A host has selinux-policy-targeted,
  2) We mount the host's /sys into a privileged container,
  3) The container has SELINUXTYPE=targeted in /etc/selinux/config,
  4) The container does not have an selinux-policy-targeted package,

then SELinux-enabled applications like restorecon or DNF do not work inside
the container.

Resolve this by making /sys/fs/selinux an empty directory.

Fixes: https://tracker.ceph.com/issues/49239

Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
(cherry picked from commit f0f96445b2033ba52acc7bc1e99a777f93464d8b)
---

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 6f492e7af7c..09872605103 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -2283,6 +2283,8 @@ def get_container_mounts(ctx, fsid, daemon_type, daemon_id,
         mounts['/run/udev'] = '/run/udev'
     if daemon_type == 'osd':
         mounts['/sys'] = '/sys'  # for numa.cc, pick_address, cgroups, ...
+        # selinux-policy in the container may not match the host.
+        mounts['/usr/share/empty'] = '/sys/fs/selinux:ro'
         mounts['/run/lvm'] = '/run/lvm'
         mounts['/run/lock/lvm'] = '/run/lock/lvm'