On Mon, Jun 27, 2016, at 05:04 AM, Miroslav Grepl wrote:
So we could start to discuss how it is possible to ship new policy on
Atomic to solve these urgent issues.
As far as I see, the mac_admin issue (and the missing domain transition from init_t for install_exec_t) has nothing to do with a reduction in policy size/scope, right? rpm-ostree just needs the same abilities granted rpm (yum/dnf) and notably PackageKit (which has been a daemon forever). Hopefully this latest policy update will be the last time it breaks (at least before we figure out how to put a regression test for this in between bodhi and the tree updates).
Anyways, this leads to my biggest concern with having any separate policy - all of a sudden the labels and documentation that people will use when doing Docker on Atomic Host are different from what one gets if one just `yum install docker` on Fedora Server|Workstation, and it means we need separate testing too.
I use docker on Fedora Workstation myself.
I have trouble imagining the pain of carrying that delta is going to be worth the benefit...
Can you think guys about a way how to do it?
Mechanically, it's pretty easy to try it out:
diff --git a/fedora-atomic-docker-host.json b/fedora-atomic-docker-host.json
index 70a1e41..722281d 100644
@@ -1,7 +1,7 @@
- "repos": ["fedora-24"],
+ "repos": ["fedora-24", "mgrepl-seatomic"],
@@ -50,7 +50,7 @@
"openssh-clients", "openssh-server", "passwd", "plymouth",
"policycoreutils", "procps-ng", "rootfiles", "rpm",
- "selinux-policy-targeted", "setup", "shadow-utils",
+ "selinux-policy-atomic", "setup", "shadow-utils",
"sudo", "systemd", "util-linux", "vim-minimal",
Looks like docker-selinux fails to compile:
Failed to resolve 'object_r' in roletype statement at line 2 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(Because this is rpm the %post isn't fatal and we continue, but going beyond experimentation
then we'd have to have docker-selinux-atomic or figure out how to have the existing
policy package somehow conditional)
Finally though it does error out with:
error: With policy root '/proc/self/fd/16/usr/etc/selinux': selabel_open(SELABEL_CTX_FILE): No such file or directory
Which appears to be because:
# grep SELINUXTYPE /var/tmp/rpm-ostree.work/rootfs.tmp/etc/selinux/config
Which should be easy to fix but again I'm currently very uncertain about the value proposition here. I think a redesign of the policy would need to cover more of Fedora than just Atomic Host. (For example, what about https://fedoraproject.org/wiki/Changes/WorkstationOstree )
 Actually on https://ci.centos.org/job/atomic-fedora-ws/ which is similar to the above except I included docker