Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[release-1.18] Automatically label containers running systemd with the correct label #3764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
openshift-cherrypick-robot wants to merge 2 commits into from
Closed

[release-1.18] Automatically label containers running systemd with the correct label #3764

openshift-cherrypick-robot wants to merge 2 commits into from
+50 −2

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented May 13, 2020

This is an automated cherry-pick of #3754

/assign umohnani8

containers running `init` or `systemd` are now given a new selinux label `container_init_t`, giving it selinux privileges more appropriate for the workload

rhatdan and others added 2 commits May 13, 2020 22:55
@rhatdan
Automatically label containers running systemd with the correct label
827dfcc 
Newer versions of container-selinux, container-selinux-2.132.0 or newer,
supply a `container_init_t` label.  If CRI-O is running systemd or init inside
of the container, then the container will require different SELinux privs
to run the container.

By using the new SELinux label, we can run ordinary containers with a tighter
selinux policy then those running the init system, makeing the overlay system
more secure.

The eliminates the need to turn on the container_manage_cgroup SELinux boolean.

Ie no need to execute

```
setsebool -P container_manage_cgroup 1
```

Any longer. On systems without the updated container-selnux package, the containers will still
attempt to run the standard container type `container_t`, and still require the boolean.

Signed-off-by: Daniel J Walsh <[email protected]>
@haircommander
bump version of libpod to get selinux
d6f360e 
Signed-off-by: Peter Hunt <[email protected]>
@openshift-ci-robot openshift-ci-robot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label May 13, 2020
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request May 13, 2020
Merged
@umohnani8
Copy link
Member

umohnani8 commented May 13, 2020

/approve
LGTM

@openshift-ci-robot
Copy link

openshift-ci-robot commented May 13, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, umohnani8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 13, 2020
@codecov
Copy link

codecov bot commented May 13, 2020

Codecov Report

Merging #3764 into release-1.18 will decrease coverage by 0.01%.
The diff coverage is 0.00%.

@@               Coverage Diff                @@
##           release-1.18    #3764      +/-   ##
================================================
- Coverage         40.53%   40.51%   -0.02%     
================================================
  Files               105      105              
  Lines              8608     8611       +3     
================================================
  Hits               3489     3489              
- Misses             4808     4811       +3     
  Partials            311      311

@umohnani8
Copy link
Member

umohnani8 commented May 13, 2020

Replacing with #3765 to fix the vendor failures. Closing.

@umohnani8 umohnani8 closed this May 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@runcom runcom Awaiting requested review from runcom runcom is a code owner

@giuseppe giuseppe Awaiting requested review from giuseppe

@haircommander haircommander Awaiting requested review from haircommander

Assignees

@umohnani8 umohnani8

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@openshift-cherrypick-robot @umohnani8 @openshift-ci-robot @rhatdan @haircommander