From c6e1cfbde241c70f31f19c00d18c7c4e51a13f7b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Juan=20Miguel=20Olmo=20Mart=C3=ADnez?= Date: Thu, 11 Feb 2021 17:51:49 +0100 Subject: [PATCH] cephadm: Mounting folder for selinux only if it is needed MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit There are OSs without folder. And selinux can be enabled or not. Signed-off-by: Juan Miguel Olmo Martínez --- src/cephadm/cephadm | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm index 76c089b848df8..6303e97e5e6f1 100755 --- a/src/cephadm/cephadm +++ b/src/cephadm/cephadm @@ -2234,7 +2234,11 @@ def get_container_mounts(ctx, fsid, daemon_type, daemon_id, if daemon_type == 'osd': mounts['/sys'] = '/sys' # for numa.cc, pick_address, cgroups, ... # selinux-policy in the container may not match the host. - mounts['/usr/share/empty'] = '/sys/fs/selinux:ro' + if HostFacts(ctx).selinux_enabled: + selinux_folder = '/var/lib/ceph/%s/selinux' % fsid + if not os.path.exists(selinux_folder): + os.makedirs(selinux_folder, mode=0o755) + mounts[selinux_folder] = '/sys/fs/selinux:ro' mounts['/run/lvm'] = '/run/lvm' mounts['/run/lock/lvm'] = '/run/lock/lvm' @@ -6150,9 +6154,9 @@ class HostFacts(): @property def kernel_security(self): - # type: () -> Optional[Dict[str, str]] + # type: () -> Dict[str, str] """Determine the security features enabled in the kernel - SELinux, AppArmor""" - def _fetch_selinux() -> Optional[Dict[str, str]]: + def _fetch_selinux() -> Dict[str, str]: """Read the selinux config file to determine state""" security = {} for selinux_path in HostFacts._selinux_path_list: @@ -6169,9 +6173,9 @@ class HostFacts(): else: security['description'] = "SELinux: Enabled({}, {})".format(security['SELINUX'], security['SELINUXTYPE']) return security - return None + return {} - def _fetch_apparmor() -> Optional[Dict[str, str]]: + def _fetch_apparmor() -> Dict[str, str]: """Read the apparmor profiles directly, returning an overview of AppArmor status""" security = {} for apparmor_path in HostFacts._apparmor_path_list: @@ -6196,9 +6200,9 @@ class HostFacts(): security['description'] += "({})".format(summary_str) return security - return None + return {} - ret = None + ret = {} if os.path.exists('/sys/kernel/security/lsm'): lsm = read_file(['/sys/kernel/security/lsm']).strip() if 'selinux' in lsm: @@ -6211,7 +6215,7 @@ class HostFacts(): "description": "Linux Security Module framework is active, but is not using SELinux or AppArmor" } - if ret is not None: + if ret: return ret return { @@ -6219,6 +6223,11 @@ class HostFacts(): "description": "Linux Security Module framework is not available" } + @property + def selinux_enabled(self): + return (self.kernel_security["type"] == "SELinux") and \ + (self.kernel_security["description"] != "SELinux: Disabled") + @property def kernel_parameters(self): # type: () -> Dict[str, str] @@ -7684,4 +7693,3 @@ def main(): if __name__ == "__main__": main() - -- 2.39.5