Bug 1316975

Summary: Need policy for aos hostmount-anyuid to access host mounted volumes
Product: Red Hat Enterprise Linux 7 Reporter: Rich Megginson <rmeggins>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pmorie, pvrabec, rmeggins, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-04 14:16:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rich Megginson 2016-03-11 15:17:23 UTC 
Description of problem:
The AOS origin-aggregated-logging fluentd component needs to mount /var/log, needs to be able to read /var/log/message* and /var/log/containers/*, and needs to be able to create and write files in /var/log.

We used to do this by making the fluentd container privileged, and adding the fluentd system user to the aos scc privileged.  However, it was felt that this granted too much access to the fluentd container, and instead fluentd should use the least permissive access, which is scc hostmount-anyuid.  But when fluentd is configured with this scc, the fluentd container cannot access /var/log on the host.

More information is in https://github.com/openshift/origin-aggregated-logging/issues/89

Version-Release number of selected component (if applicable):

# more /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
# rpm -q selinux-policy
selinux-policy-3.13.1-60.el7_2.3.noarch
# oc version
oc v1.1.3
kubernetes v1.2.0-origin

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Paul Morie 2016-03-11 15:26:31 UTC 
To recap discussion from email, we discussed:

1.  Making hostmount-anyuid use spc_t
2.  Making hostmount-anyuid use another selinux type which is similar to svirt_lxc_net_t, but allows access to /var/log