1421738 – Need remove "svirt_sandbox_file_t" from openshift.local.volumes

Bug 1421738 - Need remove "svirt_sandbox_file_t" from openshift.local.volumes

Summary: Need remove "svirt_sandbox_file_t" from openshift.local.volumes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Paul Morie
QA Contact:	DeShuai Ma
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1450167
TreeView+	depends on / blocked

Reported:	2017-02-13 14:55 UTC by DeShuai Ma
Modified:	2017-08-16 19:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1450167 (view as bug list)
Environment:
Last Closed:	2017-08-10 05:17:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1716	0	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.6 RPM Release Advisory	2017-08-10 09:02:50 UTC

Description DeShuai Ma 2017-02-13 14:55:40 UTC

Description of problem:
As card https://trello.com/c/BGFPBpeF rebased to 3.5, the label "svirt_sandbox_file_t" on /var/lib/origin/openshift.local.volumes/ is no longer necessary. need remove it make selinux more secure.

Version-Release number of selected component (if applicable):
openshift v3.5.0.19+199197c
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
Always

Steps to Reproduce:
1. Set ocp-3.5 env and on node check selinux context of '/var/lib/origin/openshift.local.volumes/'
[root@host-8-174-53 ~]# ls -ldZ /var/lib/origin/openshift.local.volumes/
drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 /var/lib/origin/openshift.local.volumes/

Actual results:


Expected results:
1. /var/lib/origin/openshift.local.volumes/ shouldn't have "svirt_sandbox_file_t" label

Additional info:

Comment 1 Eric Paris 2017-02-13 19:25:56 UTC

https://github.com/openshift/origin/pull/12942

Although I am going to call this 'upcoming release' and target 3.6. I am unwilling to destabalize 3.5 at this point when we've worked this way so long.

Comment 2 Derek Carr 2017-03-29 14:07:32 UTC

we will fix this after the rebase lands.

Comment 3 Derek Carr 2017-04-20 19:58:02 UTC

rebase not yet landed.

Comment 4 Eric Paris 2017-05-13 14:30:07 UTC

This is a bug fix, but one that may be dangerous and thus I would prefer to do it at the beginning of next sprint instead of the end of this sprint.

https://github.com/openshift/origin/pull/12942

Comment 5 Derek Carr 2017-05-31 16:31:26 UTC

Eric - do you want to mark this upcoming release per your previous comment?

Comment 6 Eric Paris 2017-05-31 17:24:08 UTC

Paul, you must review this this week and LGTM. You must be ready to tag on Monday.

Comment 7 Seth Jennings 2017-06-22 19:48:02 UTC

Origin merge queue is having issues.

Still hits this aos-cd-jobs bug:
https://github.com/openshift/aos-cd-jobs/issues/346

Adding UpcomingRelease and Eric will manually merge Monday morning if it hasn't merged by then.

Comment 9 DeShuai Ma 2017-07-05 05:34:56 UTC

Verify on openshift v3.6.133

[root@qe-public-master-etcd-1 ~]# ls -ldZ /var/lib/origin/openshift.local.volumes/
drwxr-x---. root root system_u:object_r:var_lib_t:s0   /var/lib/origin/openshift.local.volumes/

Comment 11 errata-xmlrpc 2017-08-10 05:17:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716

Note You need to log in before you can comment on or make changes to this bug.