From f0f96445b2033ba52acc7bc1e99a777f93464d8b Mon Sep 17 00:00:00 2001
From: Ken Dreyer <kdreyer@redhat.com>
Date: Wed, 10 Feb 2021 08:08:51 -0700
Subject: [PATCH] cephadm: make /sys/fs/selinux empty

When the following conditions are true:

  1) A host has selinux-policy-targeted,
  2) We mount the host's /sys into a privileged container,
  3) The container has SELINUXTYPE=targeted in /etc/selinux/config,
  4) The container does not have an selinux-policy-targeted package,

then SELinux-enabled applications like restorecon or DNF do not work inside
the container.

Resolve this by making /sys/fs/selinux an empty directory.

Fixes: https://tracker.ceph.com/issues/49239

Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
---
 src/cephadm/cephadm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 1f3f92b4ebf..76c089b848d 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -2233,6 +2233,8 @@ def get_container_mounts(ctx, fsid, daemon_type, daemon_id,
         mounts['/run/udev'] = '/run/udev'
     if daemon_type == 'osd':
         mounts['/sys'] = '/sys'  # for numa.cc, pick_address, cgroups, ...
+        # selinux-policy in the container may not match the host.
+        mounts['/usr/share/empty'] = '/sys/fs/selinux:ro'
         mounts['/run/lvm'] = '/run/lvm'
         mounts['/run/lock/lvm'] = '/run/lock/lvm'