RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-20 17:37:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

cephadm: make /sys/fs/selinux empty

Browse Source 
When the following conditions are true:

  1) A host has selinux-policy-targeted,
  2) We mount the host's /sys into a privileged container,
  3) The container has SELINUXTYPE=targeted in /etc/selinux/config,
  4) The container does not have an selinux-policy-targeted package,

then SELinux-enabled applications like restorecon or DNF do not work inside
the container.

Resolve this by making /sys/fs/selinux an empty directory.

Fixes: https://tracker.ceph.com/issues/49239

Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
This commit is contained in:
Ken Dreyer 2021-02-10 08:08:51 -07:00
parent 6c5ccc10b0
commit f0f96445b2
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/cephadm/cephadm
View File

@ -2233,6 +2233,8 @@ def get_container_mounts(ctx, fsid, daemon_type, daemon_id,
mounts['/run/udev'] = '/run/udev'
if daemon_type == 'osd':
mounts['/sys'] = '/sys' # for numa.cc, pick_address, cgroups, ...
# selinux-policy in the container may not match the host.
mounts['/usr/share/empty'] = '/sys/fs/selinux:ro'
mounts['/run/lvm'] = '/run/lvm'
mounts['/run/lock/lvm'] = '/run/lock/lvm'