Bug 1322604

Summary: policy for openshift hostmount-anyuid
Product: OpenShift Container Platform Reporter: Rich Megginson <rmeggins>
Component: SecurityAssignee: Eric Paris <eparis>
Status: CLOSED WONTFIX QA Contact: Chuan Yu <chuyu>
Severity: low Docs Contact:
Priority: medium    
Version: 3.2.0CC: aos-bugs, bchilds, dominick.grift, dwalsh, extras-qa, jialiu, jokerman, lmeyer, lvrabec, mmalik, mmccomas, plautrba, pvrabec, sponnaga, ssekidde, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1322603 Environment:
Last Closed: 2019-07-17 22:57:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rich Megginson 2016-03-30 21:07:58 UTC 
+++ This bug was initially created as a clone of Bug #1322603 +++

Description of problem:
I want to use the hostmount-anyuid policy to mount volumes into my fluentd container for openshift logging.  See 
https://github.com/openshift/origin-aggregated-logging/issues/89 for details, and the policy that can be used to fix the issue.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2016-03-31 14:39:05 UTC 
Ok this is a good question how we will think about it. I don't think it should be a part of the distro policy. Is there a chance to provide the policy in a different way?
Comment 3 Rich Megginson 2016-03-31 15:09:46 UTC 
(In reply to Miroslav Grepl from comment #2)
> Ok this is a good question how we will think about it. I don't think it
> should be a part of the distro policy. Is there a chance to provide the
> policy in a different way?

It is possible, but how?
Comment 4 Lukas Vrabec 2016-04-04 13:11:04 UTC 
Rich, 
SELinux policy can be part of some rpm package. You can find more info here: 
http://lvrabec-selinux.rhcloud.com/2015/07/07/how-to-create-selinux-product-policy/
Comment 6 Rich Megginson 2016-04-25 18:33:25 UTC 
The problem is not specific to logging.  I guess logging is the first attempt at actually using hostmount-anyuid?  OpenShift itself needs to provide the necessary policy to make use of hostmount-anyuid with _all_ applications, not just the specific usage for logging.