Bug 1224417

Summary: add selinux label for /var/lib/kubelet
Product: [Fedora] Fedora Reporter: Eric Paris <eparis>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: adimania, admiller, dwalsh, golang-updates, hushan.jia, ichavero, jcajka, jchaloup, jperrin, lsm5, mattdm, mgoldman, miminar, pmorie, s, thrcka, tstclair, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-02 17:58:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Paris 2015-05-22 21:31:50 UTC 
can we get system_u:object_r:svirt_sandbox_file_t:s0 added as the filecontext for /var/lib/kubelet to the docker-selinux package?

can/should we maybe break docker-selinux into it's own package?
Comment 1 Eric Paris 2015-05-22 21:40:35 UTC 
https://github.com/fedora-cloud/docker-selinux/pull/4
Comment 2 Daniel Walsh 2015-05-27 02:10:10 UTC 
We could put it in its own package.  But not sure that would buy us much.  You want the /var/lib/kublet writable by all containers?
Comment 3 Eric Paris 2015-05-27 14:04:39 UTC 
I'll let you tell me the right label, this is likely not quite it, but the best we can do now.

Lets assume you define a pod that uses an NFS mount as its volume. The kubelet will mount the NFS export inside /var/lib/kubelet/$somedir and will then tell docker to volume mount /var/lib/kubelet/$somedir into the container.

If you define a 'secret' for a container the kubelet will mount tmpfs in /var/lib/kubelet/$somedir and the secret as a file in the tmpfs, and then tell docker to volume mount it into your container.

At this point kube is pretty stupid, it does no/little labeling really. I think we're going to need to move the docker/svirt level knowledge up into kube. (It'll eventually land on pmorie's plate I'd bet) so that kube can mount with good labels that docker can use.

But for now, kubelet does nothing smart...

This is a lot like the label on /var/lib/docker/[something]

Which you know better than me....
Comment 4 Daniel Walsh 2015-05-27 20:26:37 UTC 
Well I see a couple of problems here.  docker_var_lib_t would be the label I would add, so it matches and is not writable by the container.  Mounting the tmpfs would end up being tmpfs_t and nfs would probably be nfs_t, unless you are using labeled nfs.  

Volume mounting with the Z,z would solve some problems, at least for the tmpfs_t.
Comment 5 Daniel Walsh 2015-06-02 17:58:43 UTC 
Should be in the latest docker-1.7 release.