Bug 1316975 - Need policy for aos hostmount-anyuid to access host mounted volumes
Need policy for aos hostmount-anyuid to access host mounted volumes
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-11 10:17 EST by Rich Megginson
Modified: 2016-05-04 10:16 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-04 10:16:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rich Megginson 2016-03-11 10:17:23 EST
Description of problem:
The AOS origin-aggregated-logging fluentd component needs to mount /var/log, needs to be able to read /var/log/message* and /var/log/containers/*, and needs to be able to create and write files in /var/log.

We used to do this by making the fluentd container privileged, and adding the fluentd system user to the aos scc privileged.  However, it was felt that this granted too much access to the fluentd container, and instead fluentd should use the least permissive access, which is scc hostmount-anyuid.  But when fluentd is configured with this scc, the fluentd container cannot access /var/log on the host.

More information is in https://github.com/openshift/origin-aggregated-logging/issues/89

Version-Release number of selected component (if applicable):

# more /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
# rpm -q selinux-policy
selinux-policy-3.13.1-60.el7_2.3.noarch
# oc version
oc v1.1.3
kubernetes v1.2.0-origin

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Paul Morie 2016-03-11 10:26:31 EST
To recap discussion from email, we discussed:

1.  Making hostmount-anyuid use spc_t
2.  Making hostmount-anyuid use another selinux type which is similar to svirt_lxc_net_t, but allows access to /var/log

Note You need to log in before you can comment on or make changes to this bug.