Merge PR ceph#39424 into master

* refs/pull/39424/head: cephadm: Mounting <empty> folder for selinux only if it is needed Reviewed-by: Sage Weil <sage@redhat.com> Reviewed-by: Boris Ranto <branto@redhat.com> Reviewed-by: Sebastian Wagner <swagner@suse.com> Reviewed-by: Ken Dreyer <kdreyer@redhat.com>
mgfritch · Feb 15, 2021 · e42bbba · e42bbba
2 parents d14c7ea + c6e1cfb
commit e42bbba
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
@@ -2241,7 +2241,11 @@ def get_container_mounts(ctx, fsid, daemon_type, daemon_id,
     if daemon_type == 'osd':
         mounts['/sys'] = '/sys'  # for numa.cc, pick_address, cgroups, ...
         # selinux-policy in the container may not match the host.
-        mounts['/usr/share/empty'] = '/sys/fs/selinux:ro'
+        if HostFacts(ctx).selinux_enabled:
+            selinux_folder = '/var/lib/ceph/%s/selinux' % fsid
+            if not os.path.exists(selinux_folder):
+                os.makedirs(selinux_folder, mode=0o755)
+                mounts[selinux_folder] = '/sys/fs/selinux:ro'
         mounts['/run/lvm'] = '/run/lvm'
         mounts['/run/lock/lvm'] = '/run/lock/lvm'
 
@@ -6169,9 +6173,9 @@ class HostFacts():
 
     @property
     def kernel_security(self):
-        # type: () -> Optional[Dict[str, str]]
+        # type: () -> Dict[str, str]
         """Determine the security features enabled in the kernel - SELinux, AppArmor"""
-        def _fetch_selinux() -> Optional[Dict[str, str]]:
+        def _fetch_selinux() -> Dict[str, str]:
             """Read the selinux config file to determine state"""
             security = {}
             for selinux_path in HostFacts._selinux_path_list:
@@ -6188,9 +6192,9 @@ class HostFacts():
                     else:
                         security['description'] = "SELinux: Enabled({}, {})".format(security['SELINUX'], security['SELINUXTYPE'])
                     return security
-            return None
+            return {}
 
-        def _fetch_apparmor() -> Optional[Dict[str, str]]:
+        def _fetch_apparmor() -> Dict[str, str]:
             """Read the apparmor profiles directly, returning an overview of AppArmor status"""
             security = {}
             for apparmor_path in HostFacts._apparmor_path_list:
@@ -6215,9 +6219,9 @@ class HostFacts():
                         security['description'] += "({})".format(summary_str)
 
                     return security
-            return None
+            return {}
 
-        ret = None
+        ret = {}
         if os.path.exists('/sys/kernel/security/lsm'):
             lsm = read_file(['/sys/kernel/security/lsm']).strip()
             if 'selinux' in lsm:
@@ -6230,14 +6234,19 @@ class HostFacts():
                     "description": "Linux Security Module framework is active, but is not using SELinux or AppArmor"
                 }
 
-        if ret is not None:
+        if ret:
             return ret
 
         return {
             "type": "None",
             "description": "Linux Security Module framework is not available"
         }
 
+    @property
+    def selinux_enabled(self):
+        return (self.kernel_security["type"] == "SELinux") and \
+               (self.kernel_security["description"] != "SELinux: Disabled")
+
     @property
     def kernel_parameters(self):
         # type: () -> Dict[str, str]
@@ -7703,4 +7712,3 @@ def main():
 
 if __name__ == "__main__":
     main()
-