can we get system_u:object_r:svirt_sandbox_file_t:s0 added as the filecontext for /var/lib/kubelet to the docker-selinux package? can/should we maybe break docker-selinux into it's own package?
https://github.com/fedora-cloud/docker-selinux/pull/4
We could put it in its own package. But not sure that would buy us much. You want the /var/lib/kublet writable by all containers?
I'll let you tell me the right label, this is likely not quite it, but the best we can do now. Lets assume you define a pod that uses an NFS mount as its volume. The kubelet will mount the NFS export inside /var/lib/kubelet/$somedir and will then tell docker to volume mount /var/lib/kubelet/$somedir into the container. If you define a 'secret' for a container the kubelet will mount tmpfs in /var/lib/kubelet/$somedir and the secret as a file in the tmpfs, and then tell docker to volume mount it into your container. At this point kube is pretty stupid, it does no/little labeling really. I think we're going to need to move the docker/svirt level knowledge up into kube. (It'll eventually land on pmorie's plate I'd bet) so that kube can mount with good labels that docker can use. But for now, kubelet does nothing smart... This is a lot like the label on /var/lib/docker/[something] Which you know better than me....
Well I see a couple of problems here. docker_var_lib_t would be the label I would add, so it matches and is not writable by the container. Mounting the tmpfs would end up being tmpfs_t and nfs would probably be nfs_t, unless you are using labeled nfs. Volume mounting with the Z,z would solve some problems, at least for the tmpfs_t.
Should be in the latest docker-1.7 release.