Re: [atomic-devel] A new policy rpm for Atomic?

[Colin Walters <walters verbum org>]

On Mon, Jun 27, 2016, at 05:04 AM, Miroslav Grepl wrote:

> So we could start to discuss how it is possible to ship new policy on
> Atomic to solve these urgent issues.

As far as I see, the mac_admin issue (and the missing domain transition from init_t for install_exec_t) has nothing to do with a reduction in policy size/scope, right?   rpm-ostree just needs the same abilities granted rpm (yum/dnf) and notably PackageKit (which has been a daemon forever).  Hopefully this latest policy update will be the last time it breaks (at least before we figure out how to put a regression test for this in between bodhi and the tree updates).

Anyways, this leads to my biggest concern with having any separate policy - all of a sudden the labels and documentation that people will use when doing Docker on Atomic Host are different from what one gets if one just `yum install docker` on Fedora Server|Workstation, and it means we need separate testing too.

I use docker on Fedora Workstation[1] myself.

I have trouble imagining the pain of carrying that delta is going to be worth the benefit...

> Can you think guys about a way how to do it?

Mechanically, it's pretty easy to try it out:

diff --git a/fedora-atomic-docker-host.json b/fedora-atomic-docker-host.json
index 70a1e41..722281d 100644
--- a/fedora-atomic-docker-host.json
+++ b/fedora-atomic-docker-host.json
@@ -1,7 +1,7 @@
 {
     "ref": "fedora-atomic/24/x86_64/docker-host",
 
-    "repos": ["fedora-24"],
+    "repos": ["fedora-24", "mgrepl-seatomic"],
 
     "selinux": true,
 
@@ -50,7 +50,7 @@
 		 "sos",
 		 "openssh-clients", "openssh-server", "passwd", "plymouth",
 		 "policycoreutils", "procps-ng", "rootfiles", "rpm",
-		 "selinux-policy-targeted", "setup", "shadow-utils",
+		 "selinux-policy-atomic", "setup", "shadow-utils",
 		 "sudo", "systemd", "util-linux", "vim-minimal",
 		 "less",
 		 "tar",


Looks like docker-selinux fails to compile:
Failed to resolve 'object_r' in roletype statement at line 2 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(Because this is rpm the %post isn't fatal and we continue, but going beyond experimentation
 then we'd have to have docker-selinux-atomic or figure out how to have the existing
 policy package somehow conditional)

Finally though it does error out with:
error: With policy root '/proc/self/fd/16/usr/etc/selinux': selabel_open(SELABEL_CTX_FILE): No such file or directory

Which appears to be because:
# grep SELINUXTYPE /var/tmp/rpm-ostree.work/rootfs.tmp/etc/selinux/config
SELINUXTYPE=targeted 

Which should be easy to fix but again I'm currently very uncertain about the value proposition here.  I think a redesign of the policy would need to cover more of Fedora than just Atomic Host.   (For example, what about https://fedoraproject.org/wiki/Changes/WorkstationOstree )

[1] Actually on https://ci.centos.org/job/atomic-fedora-ws/ which is similar to the above except I included docker