Allow containers to access files labeled as cert_t #7061
Conversation
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers was done to solve an OSP TripleO issue on RHEL (ceph#3638) but by using the z flag it brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953 The z flag prevents local services (like sssd) running on the host accessing the certificates/files in that folder. Solving this requires to modify the ceph-selinux package to allow container_t flagged processes to have access to files/folders labelled with cert_t and use ro instead of z flag. 2 PR are created to solve this issue. One for ceph-selinux and another one for ceph-ansible. Signed-off-by: Teoman ONAY <tonay@redhat.com>
| state: present | ||
|
|
||
| - name: restore certificates selinux context | ||
| command: /usr/sbin/restorecon -RF /etc/pki/ca-trust/extracted |
There was a problem hiding this comment.
Would you please say more about the problem?
What file in /etc/pki/ca-trust/extracted is mis-labeled?
What is the thing that's mis-labeling it in the first place?
There was a problem hiding this comment.
As the mon and rgw containers need to get access to the local folder /etc/pki/ca-trust/extracted and its content, this line https://github.com/ceph/ceph-ansible/blob/c491e67486d8ed2717b5b9eda96544eb4f7eae2d/roles/ceph-rgw/templates/ceph-radosgw.service.j2#L42 relabels the whole folder content with container_t at container startup. While it gives access to the container(s) it prevents local processes like sssd to access the files. Unfortunately just changing the flag from z to ro does not put back the cert_t label on the files, this is why that restorecon is necessary.
I hope having answered your question.
There was a problem hiding this comment.
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
Initially binding /etc/pki/ca-trust/extracted:z to mon/rgw containers
was done to solve an OSP TripleO issue on RHEL
(#3638) but by using the z flag it
brought other issues like https://bugzilla.redhat.com/show_bug.cgi?id=2026953
The z flag prevents local services (like sssd) running on the host accessing
the certificates/files in that folder.
Solving this requires to modify the ceph-selinux package to allow
container_t flagged processes to have access to files/folders labelled with
cert_t and use ro instead of z flag.
2 PR are created to solve this issue. One for ceph-selinux (ceph/ceph#44802) and another one for
ceph-ansible (this one)
Signed-off-by: Teoman ONAY tonay@redhat.com