Hide Forgot
Description of problem: The AOS origin-aggregated-logging fluentd component needs to mount /var/log, needs to be able to read /var/log/message* and /var/log/containers/*, and needs to be able to create and write files in /var/log. We used to do this by making the fluentd container privileged, and adding the fluentd system user to the aos scc privileged. However, it was felt that this granted too much access to the fluentd container, and instead fluentd should use the least permissive access, which is scc hostmount-anyuid. But when fluentd is configured with this scc, the fluentd container cannot access /var/log on the host. More information is in https://github.com/openshift/origin-aggregated-logging/issues/89 Version-Release number of selected component (if applicable): # more /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # rpm -q selinux-policy selinux-policy-3.13.1-60.el7_2.3.noarch # oc version oc v1.1.3 kubernetes v1.2.0-origin How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
To recap discussion from email, we discussed: 1. Making hostmount-anyuid use spc_t 2. Making hostmount-anyuid use another selinux type which is similar to svirt_lxc_net_t, but allows access to /var/log