Project

General

Profile

Actions
Copy link

Bug #51632

closed

cephadm: selinux is not checked against running configuration

Added by Javier Cacheiro almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Javier Cacheiro
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
pacific
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v16.2.4
ceph-qa-suite:
Pull request ID:
42290
Crash signature (v1):
Crash signature (v2):

Description

The _fetch_selinux function inside kernel_security in cephadm is not checking the actual selinux mode in which the kernel is running but the one configured in /etc/selinux/config, but the configured and the actual modes can be different.

For example, the mode in the configuration file and the actual mode will defer if the server has not been rebooted since the change in the config file. They will also differ if the mode was changed after boot using setenforce.

This leads to a wrong assumption of the selinux mode when launching docker commands like `inventory` that causes the command to fail.

The actual selinux mode should be checked looking at the output of the getenforce command, this will get the current selinux mode in which the kernel is running.

Actions
Copy link

Also available in: Atom PDF