Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1450167

Summary: Upgrade needs to remove "svirt_sandbox_file_t" from openshift.local.volumes
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: Cluster Version OperatorAssignee: Scott Dodson <sdodson>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.6.0CC: aos-bugs, decarr, dma, eparis, jokerman, mmccomas, pmorie
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1421738 Environment:
Last Closed: 2017-08-10 05:23:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1421738    
Bug Blocks:    

Description Scott Dodson 2017-05-11 17:14:41 UTC 
+++ This bug was initially created as a clone of Bug #1421738 +++

Description of problem:
As card https://trello.com/c/BGFPBpeF rebased to 3.5, the label "svirt_sandbox_file_t" on /var/lib/origin/openshift.local.volumes/ is no longer necessary. need remove it make selinux more secure.

Version-Release number of selected component (if applicable):
openshift v3.5.0.19+199197c
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
Always

Steps to Reproduce:
1. Set ocp-3.5 env and on node check selinux context of '/var/lib/origin/openshift.local.volumes/'
[root@host-8-174-53 ~]# ls -ldZ /var/lib/origin/openshift.local.volumes/
drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 /var/lib/origin/openshift.local.volumes/

Actual results:


Expected results:
1. /var/lib/origin/openshift.local.volumes/ shouldn't have "svirt_sandbox_file_t" label

Additional info:

--- Additional comment from Eric Paris on 2017-02-13 14:25:56 EST ---

https://github.com/openshift/origin/pull/12942

Although I am going to call this 'upcoming release' and target 3.6. I am unwilling to destabalize 3.5 at this point when we've worked this way so long.

--- Additional comment from Derek Carr on 2017-03-29 10:07:32 EDT ---

we will fix this after the rebase lands.

--- Additional comment from Derek Carr on 2017-04-20 15:58:02 EDT ---

rebase not yet landed.
Comment 1 Scott Dodson 2017-05-11 17:17:33 UTC 
This clone is to have the installer reset the context of /var/lib/origin/openshift.local.volumes during upgrades

https://github.com/openshift/openshift-ansible/pull/4165
Comment 5 Anping Li 2017-07-05 08:00:01 UTC 
Verified and pass. The label is as following
[root@host3-ha-1 ~]# ls -laZ /var/lib/origin/openshift.local.volumes/
drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0 ..
drwxr-x---. root root system_u:object_r:var_lib_t:s0   plugins
drwxr-x---. root root system_u:object_r:var_lib_t:s0   pods
Comment 7 errata-xmlrpc 2017-08-10 05:23:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716