https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Bug ID: 1224417 Summary: add selinux label for /var/lib/kubelet Product: Fedora Version: rawhide Component: docker-io Assignee: ichavero@redhat.com Reporter: eparis@redhat.com QA Contact: extras-qa@fedoraproject.org CC: adimania@gmail.com, admiller@redhat.com, golang@lists.fedoraproject.org, hushan.jia@gmail.com, ichavero@redhat.com, jchaloup@redhat.com, jperrin@centos.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, miminar@redhat.com, s@shk.io, thrcka@redhat.com, vbatts@redhat.com
can we get system_u:object_r:svirt_sandbox_file_t:s0 added as the filecontext for /var/lib/kubelet to the docker-selinux package?
can/should we maybe break docker-selinux into it's own package?
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Eric Paris eparis@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dwalsh@redhat.com, | |jcajka@redhat.com Component|docker-io |docker Assignee|ichavero@redhat.com |lsm5@redhat.com
--- Comment #1 from Eric Paris eparis@redhat.com --- https://github.com/fedora-cloud/docker-selinux/pull/4
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
--- Comment #2 from Daniel Walsh dwalsh@redhat.com --- We could put it in its own package. But not sure that would buy us much. You want the /var/lib/kublet writable by all containers?
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Eric Paris eparis@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pmorie@redhat.com
--- Comment #3 from Eric Paris eparis@redhat.com --- I'll let you tell me the right label, this is likely not quite it, but the best we can do now.
Lets assume you define a pod that uses an NFS mount as its volume. The kubelet will mount the NFS export inside /var/lib/kubelet/$somedir and will then tell docker to volume mount /var/lib/kubelet/$somedir into the container.
If you define a 'secret' for a container the kubelet will mount tmpfs in /var/lib/kubelet/$somedir and the secret as a file in the tmpfs, and then tell docker to volume mount it into your container.
At this point kube is pretty stupid, it does no/little labeling really. I think we're going to need to move the docker/svirt level knowledge up into kube. (It'll eventually land on pmorie's plate I'd bet) so that kube can mount with good labels that docker can use.
But for now, kubelet does nothing smart...
This is a lot like the label on /var/lib/docker/[something]
Which you know better than me....
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
--- Comment #4 from Daniel Walsh dwalsh@redhat.com --- Well I see a couple of problems here. docker_var_lib_t would be the label I would add, so it matches and is not writable by the container. Mounting the tmpfs would end up being tmpfs_t and nfs would probably be nfs_t, unless you are using labeled nfs.
Volume mounting with the Z,z would solve some problems, at least for the tmpfs_t.
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE Last Closed| |2015-06-02 13:58:43
--- Comment #5 from Daniel Walsh dwalsh@redhat.com --- Should be in the latest docker-1.7 release.
golang@lists.fedoraproject.org
-
Red Hat Bugzilla