Bug #49239
closedcephadm cannot deploy OSDs with selinux-policy-minimum
0%
Description
When the following conditions are true:
- A host has
selinux-policy-targeted
, - We mount the host's
/sys
into a privileged container, - The container has
SELINUXTYPE=targeted
in/etc/selinux/config
, - The container does not have an
selinux-policy-targeted
package installed (a result of https://github.com/ceph/ceph-container/pull/1798),
then SELinux-enabled applications like restorecon or DNF do not work inside the container.
Some ideas we considered:
A) Always install the selinux-policy-targeted
package inside the container image.
B) Set SELINUXTYPE=minimum
in /etc/selinux/config
within the container.
C) Stop mounting the host's /sys
into the container (like ceph-ansible + Nautilus does), probably not a good idea if Sage added it in https://github.com/ceph/ceph/commit/3ccab99d15e6498b949eca8f133fb3b947c7b629
D) Stop calling restorecon
in the container (see https://github.com/ceph/ceph/pull/31421 for discussion about this feature), like Rook does
E) Mount the container's /sys/fs/selinux
to an empty directory, similar to workaround elsewhere (https://github.com/containers/toolbox/pull/337 , https://github.com/cgwalters/coretoolbox/commit/3c74c64f8edd588852b59b39f8c0f616bfae624b)