[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] A new policy rpm for Atomic?

I believe the types have to be maintained between the two. svirt_lxc_net_t, and svirt_sandbox_file_t. Although I would like to see these aliased to container_net_t and container_file_t, We need to make sure the docs work on either platform.

On 07/05/2016 12:18 PM, Colin Walters wrote:
On Mon, Jun 27, 2016, at 05:04 AM, Miroslav Grepl wrote:

So we could start to discuss how it is possible to ship new policy on
Atomic to solve these urgent issues.
As far as I see, the mac_admin issue (and the missing domain transition from init_t for install_exec_t) has nothing to do with a reduction in policy size/scope, right?   rpm-ostree just needs the same abilities granted rpm (yum/dnf) and notably PackageKit (which has been a daemon forever).  Hopefully this latest policy update will be the last time it breaks (at least before we figure out how to put a regression test for this in between bodhi and the tree updates).

Anyways, this leads to my biggest concern with having any separate policy - all of a sudden the labels and documentation that people will use when doing Docker on Atomic Host are different from what one gets if one just `yum install docker` on Fedora Server|Workstation, and it means we need separate testing too.

I use docker on Fedora Workstation[1] myself.

I have trouble imagining the pain of carrying that delta is going to be worth the benefit...

Can you think guys about a way how to do it?
Mechanically, it's pretty easy to try it out:

diff --git a/fedora-atomic-docker-host.json b/fedora-atomic-docker-host.json
index 70a1e41..722281d 100644
--- a/fedora-atomic-docker-host.json
+++ b/fedora-atomic-docker-host.json
@@ -1,7 +1,7 @@
      "ref": "fedora-atomic/24/x86_64/docker-host",
- "repos": ["fedora-24"],
+    "repos": ["fedora-24", "mgrepl-seatomic"],
"selinux": true, @@ -50,7 +50,7 @@
  		 "openssh-clients", "openssh-server", "passwd", "plymouth",
  		 "policycoreutils", "procps-ng", "rootfiles", "rpm",
-		 "selinux-policy-targeted", "setup", "shadow-utils",
+		 "selinux-policy-atomic", "setup", "shadow-utils",
  		 "sudo", "systemd", "util-linux", "vim-minimal",

Looks like docker-selinux fails to compile:
Failed to resolve 'object_r' in roletype statement at line 2 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(Because this is rpm the %post isn't fatal and we continue, but going beyond experimentation
  then we'd have to have docker-selinux-atomic or figure out how to have the existing
  policy package somehow conditional)

Finally though it does error out with:
error: With policy root '/proc/self/fd/16/usr/etc/selinux': selabel_open(SELABEL_CTX_FILE): No such file or directory

Which appears to be because:
# grep SELINUXTYPE /var/tmp/rpm-ostree.work/rootfs.tmp/etc/selinux/config

Which should be easy to fix but again I'm currently very uncertain about the value proposition here.  I think a redesign of the policy would need to cover more of Fedora than just Atomic Host.   (For example, what about https://fedoraproject.org/wiki/Changes/WorkstationOstree )

[1] Actually on https://ci.centos.org/job/atomic-fedora-ws/ which is similar to the above except I included docker

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]