[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] SELinux and romana add-on: need advice for romana devs on correct labels

On 07/10/2017 04:25 AM, ascanio alba7 gmail com wrote:
Ooops - that should read

"Currently it does not work with SELinux: it installs a host mount from
/var/lib/romana inside the  pod without a transition."

romana devs ask: "adding those three lines (to) romana-services and romana-agent
would fix it, but is it better to be more specific?
(spc = super-privileged container. happy to go with spc_t if there's no other suggestion)"

The "three lines" refers to what kubeadm's etcd pod uses, viz.,
       type: spc_t

Any advice is greatly appreciated.


If you label the content in /var/lib/romana as Container content, then this should work fine without spc_t. Allowing confinement with SELinux.

Not sure if kubeadmin allows you to force the relabel automatically yet. In docker this is done with

-v /var/lib/romana:/var/lib/romana:Z

This would cause the container runtime to label /var/lib/romana on the host correctly.

You could do this manually by executing

chcon -Rt svirt_sandbox_file_t /var/lib/romana

On the host. This second option sets the label to a shared label, which would allow the romana container to run with SELinux confinement. But it is not as good as the first option, since this label could be read/written by other containers if they can gain access.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]