[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] SELinux and romana add-on: need advice for romana devs on correct labels

From: Daniel Walsh <dwalsh redhat com>
To: ascanio alba7 gmail com, atomic-devel projectatomic io
Subject: Re: [atomic-devel] SELinux and romana add-on: need advice for romana devs on correct labels
Date: Mon, 10 Jul 2017 08:17:59 -0400

On 07/10/2017 04:25 AM, ascanio alba7 gmail com wrote:

Ooops - that should read

"Currently it does not work with SELinux: it installs a host mount from
/var/lib/romana inside the  pod without a transition."

romana devs ask: "adding those three lines (to) romana-services and romana-agent
would fix it, but is it better to be more specific?
(spc = super-privileged container. happy to go with spc_t if there's no other suggestion)"

The "three lines" refers to what kubeadm's etcd pod uses, viz.,
securityContext:
     seLinuxOptions:
       type: spc_t


Any advice is greatly appreciated.

Anthony

If you label the content in /var/lib/romana as Container content, thenthis should work fine without spc_t. Allowing confinement with SELinux.

Not sure if kubeadmin allows you to force the relabel automaticallyyet. In docker this is done with


-v /var/lib/romana:/var/lib/romana:Z

This would cause the container runtime to label /var/lib/romana on thehost correctly.


You could do this manually by executing

chcon -Rt svirt_sandbox_file_t /var/lib/romana

On the host. This second option sets the label to a shared label, whichwould allow the romana container to run with SELinux confinement. But itis not as good as the first option, since this label could beread/written by other containers if they can gain access.

References:
- Re: [atomic-devel] SELinux and romana add-on: need advice for romana devs on correct labels
  - From: ascanio . alba7

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]