Red Hat Bugzilla – Bug 1316975
Need policy for aos hostmount-anyuid to access host mounted volumes
Last modified: 2016-05-04 10:16:13 EDT
Description of problem:
The AOS origin-aggregated-logging fluentd component needs to mount /var/log, needs to be able to read /var/log/message* and /var/log/containers/*, and needs to be able to create and write files in /var/log.
We used to do this by making the fluentd container privileged, and adding the fluentd system user to the aos scc privileged. However, it was felt that this granted too much access to the fluentd container, and instead fluentd should use the least permissive access, which is scc hostmount-anyuid. But when fluentd is configured with this scc, the fluentd container cannot access /var/log on the host.
More information is in https://github.com/openshift/origin-aggregated-logging/issues/89
Version-Release number of selected component (if applicable):
# more /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# rpm -q selinux-policy
# oc version
Steps to Reproduce:
To recap discussion from email, we discussed:
1. Making hostmount-anyuid use spc_t
2. Making hostmount-anyuid use another selinux type which is similar to svirt_lxc_net_t, but allows access to /var/log