Project

General

Profile

Bug #42511

ceph-daemon fails when selinux is enabled

Added by Sage Weil 4 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Security
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
Pull request ID:
Crash signature:

Description

if you setenforce 0, everything is great. otherwise, however, you get an error like

2019-10-28T03:21:10.741 INFO:tasks.workunit.client.0.smithi180.stderr:Error: relabel failed "/dev": SELinux relabeling of /dev is not allowed

when trying to start a container that passes through /dev. a minimal reproducer (with ceph-daemon):
- wget/curl ceph-daemon from master
- sudo ./ceph-daemon shell

With podman a minimal reproducer is

/bin/podman run -it --net=host  --privileged    -v /dev:/dev:z    --entrypoint bash ceph/daemon-base

History

#1 Updated by Sage Weil 4 months ago

this also fails,

/bin/podman run -it --net=host  --privileged    -v /dev:/dev:z    --entrypoint bash centos

#2 Updated by Sage Weil 4 months ago

#3 Updated by Boris Ranto 4 months ago

What is this used/needed for? Having :z for /dev is not a great idea. Relabelling devices for use in containers in the main system would probably just result in many more issues.

You can just run

/bin/podman run -it --net=host --privileged -v /dev:/dev --entrypoint bash ceph/daemon-base

and that should give you a running container, SELinux might block access to some devices inside the container though. It may be a better idea to use the --device parameter to podman to include only the devices that you need inside the container.

#4 Updated by Sage Weil 4 months ago

Boris Ranto wrote:

What is this used/needed for? Having :z for /dev is not a great idea. Relabelling devices for use in containers in the main system would probably just result in many more issues.

You can just run

/bin/podman run -it --net=host --privileged -v /dev:/dev --entrypoint bash ceph/daemon-base

and that should give you a running container, SELinux might block access to some devices inside the container though. It may be a better idea to use the --device parameter to podman to include only the devices that you need inside the container.

Aha! Okay, I just added the :z because i saw it somewhere else, without knowing what it means.

Can you help me understand if and where we need :z for any of these volume pass-throughs? I think they fall into a few categories:

1. temporary files in /tmp that i'm mapping to various paths inside the container, like
- /tmp/othertempname
- /etc/ceph/ceph.conf
- /etc/ceph/ceph.keyring
do these need relabeling in order for the container processes to access them?

2. the actual daemon state in /var/lib/ceph, like
- /var/lib/ceph/$uuid/mon.foo to /var/lib/ceph/mon/ceph-foo

3. system directories like
- /sys
- /run/udev
- /dev

My guess is: yes, no, no?

#5 Updated by Sage Weil 4 months ago

  • Status changed from 12 to Fix Under Review
  • Pull request ID set to 31321

#6 Updated by Sage Weil 4 months ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF