Re: [atomic-devel] A new policy rpm for Atomic?

[Daniel J Walsh <dwalsh redhat com>]

I believe the types have to be maintained between the two. 
svirt_lxc_net_t, and svirt_sandbox_file_t. Although I would like to see 
these aliased to container_net_t and container_file_t,  We need to make 
sure the docs work on either platform.


On 07/05/2016 12:18 PM, Colin Walters wrote:
> On Mon, Jun 27, 2016, at 05:04 AM, Miroslav Grepl wrote:
>
> > So we could start to discuss how it is possible to ship new policy on
> > Atomic to solve these urgent issues.
> As far as I see, the mac_admin issue (and the missing domain transition from init_t for install_exec_t) has nothing to do with a reduction in policy size/scope, right?   rpm-ostree just needs the same abilities granted rpm (yum/dnf) and notably PackageKit (which has been a daemon forever).  Hopefully this latest policy update will be the last time it breaks (at least before we figure out how to put a regression test for this in between bodhi and the tree updates).
>
> Anyways, this leads to my biggest concern with having any separate policy - all of a sudden the labels and documentation that people will use when doing Docker on Atomic Host are different from what one gets if one just `yum install docker` on Fedora Server|Workstation, and it means we need separate testing too.
>
> I use docker on Fedora Workstation[1] myself.
>
> I have trouble imagining the pain of carrying that delta is going to be worth the benefit...
>
> > Can you think guys about a way how to do it?
> Mechanically, it's pretty easy to try it out:
>
> diff --git a/fedora-atomic-docker-host.json b/fedora-atomic-docker-host.json
> index 70a1e41..722281d 100644
> --- a/fedora-atomic-docker-host.json
> +++ b/fedora-atomic-docker-host.json
> @@ -1,7 +1,7 @@
>   {
>       "ref": "fedora-atomic/24/x86_64/docker-host",
>   
> -    "repos": ["fedora-24"],
> +    "repos": ["fedora-24", "mgrepl-seatomic"],
>   
>       "selinux": true,
>   
> @@ -50,7 +50,7 @@
>   		 "sos",
>   		 "openssh-clients", "openssh-server", "passwd", "plymouth",
>   		 "policycoreutils", "procps-ng", "rootfiles", "rpm",
> -		 "selinux-policy-targeted", "setup", "shadow-utils",
> +		 "selinux-policy-atomic", "setup", "shadow-utils",
>   		 "sudo", "systemd", "util-linux", "vim-minimal",
>   		 "less",
>   		 "tar",
>
>
> Looks like docker-selinux fails to compile:
> Failed to resolve 'object_r' in roletype statement at line 2 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
> (Because this is rpm the %post isn't fatal and we continue, but going beyond experimentation
>   then we'd have to have docker-selinux-atomic or figure out how to have the existing
>   policy package somehow conditional)
>
> Finally though it does error out with:
> error: With policy root '/proc/self/fd/16/usr/etc/selinux': selabel_open(SELABEL_CTX_FILE): No such file or directory
>
> Which appears to be because:
> # grep SELINUXTYPE /var/tmp/rpm-ostree.work/rootfs.tmp/etc/selinux/config
> SELINUXTYPE=targeted
>
> Which should be easy to fix but again I'm currently very uncertain about the value proposition here.  I think a redesign of the policy would need to cover more of Fedora than just Atomic Host.   (For example, what about https://fedoraproject.org/wiki/Changes/WorkstationOstree )
>
> [1] Actually on https://ci.centos.org/job/atomic-fedora-ws/ which is similar to the above except I included docker