Bug #49239
Updated by Ken Dreyer about 3 years ago
When the following conditions are true: # A host has @selinux-policy-targeted@, # We mount the host's @/sys@ into a privileged container, # The container has @SELINUXTYPE=targeted@ in @/etc/selinux/config@, # The container does not have an @selinux-policy-targeted@ package installed (a result of https://github.com/ceph/ceph-container/pull/1798), then SELinux-enabled applications like restorecon or DNF do not work inside the container. Some ideas we considered: A) Always install the @selinux-policy-targeted@ package inside the container image. B) Set @SELINUXTYPE=minimum@ in @/etc/selinux/config@ within the container. C) Stop mounting the host's @/sys@ into the container (like ceph-ansible + Nautilus does), probably not a good idea if Sage added it in https://github.com/ceph/ceph/commit/3ccab99d15e6498b949eca8f133fb3b947c7b629 does) D) Stop calling @restorecon@ in the container (see https://github.com/ceph/ceph/pull/31421 for discussion about this feature), like Rook does feature) E) Mount the container's @/sys/fs/selinux@ to an empty directory, similar to workaround elsewhere (https://github.com/containers/toolbox/pull/337 , https://github.com/cgwalters/coretoolbox/commit/3c74c64f8edd588852b59b39f8c0f616bfae624b)