4:31 p.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Bug ID: 1224417
Summary: add selinux label for /var/lib/kubelet
Product: Fedora
Version: rawhide
Component: docker-io
Assignee: ichavero(a)redhat.com
Reporter: eparis(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: adimania(a)gmail.com, admiller(a)redhat.com,
golang(a)lists.fedoraproject.org, hushan.jia(a)gmail.com,
ichavero(a)redhat.com, jchaloup(a)redhat.com,
jperrin(a)centos.org, lsm5(a)redhat.com,
mattdm(a)redhat.com, mgoldman(a)redhat.com,
miminar(a)redhat.com, s(a)shk.io, thrcka(a)redhat.com,
vbatts(a)redhat.com
can we get system_u:object_r:svirt_sandbox_file_t:s0 added as the filecontext
for /var/lib/kubelet to the docker-selinux package?
can/should we maybe break docker-selinux into it's own package?
--
You are receiving this mail because:
You are on the CC list for the bug.
4:40 p.m.
New subject: [Bug 1224417] add selinux label for /var/lib/kubelet
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Eric Paris <eparis(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dwalsh(a)redhat.com,
| |jcajka(a)redhat.com
Component|docker-io |docker
Assignee|ichavero(a)redhat.com |lsm5(a)redhat.com
--- Comment #1 from Eric Paris <eparis(a)redhat.com> ---
https://github.com/fedora-cloud/docker-selinux/pull/4
--
You are receiving this mail because:
You are on the CC list for the bug.
9:10 p.m.
New subject: [Bug 1224417] add selinux label for /var/lib/kubelet
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
--- Comment #2 from Daniel Walsh <dwalsh(a)redhat.com> ---
We could put it in its own package. But not sure that would buy us much. You
want the /var/lib/kublet writable by all containers?
--
You are receiving this mail because:
You are on the CC list for the bug.
9:04 a.m.
New subject: [Bug 1224417] add selinux label for /var/lib/kubelet
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Eric Paris <eparis(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pmorie(a)redhat.com
--- Comment #3 from Eric Paris <eparis(a)redhat.com> ---
I'll let you tell me the right label, this is likely not quite it, but the best
we can do now.
Lets assume you define a pod that uses an NFS mount as its volume. The kubelet
will mount the NFS export inside /var/lib/kubelet/$somedir and will then tell
docker to volume mount /var/lib/kubelet/$somedir into the container.
If you define a 'secret' for a container the kubelet will mount tmpfs in
/var/lib/kubelet/$somedir and the secret as a file in the tmpfs, and then tell
docker to volume mount it into your container.
At this point kube is pretty stupid, it does no/little labeling really. I think
we're going to need to move the docker/svirt level knowledge up into kube.
(It'll eventually land on pmorie's plate I'd bet) so that kube can mount with
good labels that docker can use.
But for now, kubelet does nothing smart...
This is a lot like the label on /var/lib/docker/[something]
Which you know better than me....
--
You are receiving this mail because:
You are on the CC list for the bug.
3:26 p.m.
New subject: [Bug 1224417] add selinux label for /var/lib/kubelet
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
--- Comment #4 from Daniel Walsh <dwalsh(a)redhat.com> ---
Well I see a couple of problems here. docker_var_lib_t would be the label I
would add, so it matches and is not writable by the container. Mounting the
tmpfs would end up being tmpfs_t and nfs would probably be nfs_t, unless you
are using labeled nfs.
Volume mounting with the Z,z would solve some problems, at least for the
tmpfs_t.
--
You are receiving this mail because:
You are on the CC list for the bug.
12:58 p.m.
New subject: [Bug 1224417] add selinux label for /var/lib/kubelet
https://bugzilla.redhat.com/show_bug.cgi?id=1224417
Daniel Walsh <dwalsh(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |RAWHIDE
Last Closed| |2015-06-02 13:58:43
--- Comment #5 from Daniel Walsh <dwalsh(a)redhat.com> ---
Should be in the latest docker-1.7 release.
--
You are receiving this mail because:
You are on the CC list for the bug.
3249
days inactive
3260
days old
golang@lists.fedoraproject.org
5 comments
1 participants
participants (1)
-
Red Hat Bugzilla