1450167 – Upgrade needs to remove "svirt_sandbox_file_t" from openshift.local.volumes

Bug 1450167 - Upgrade needs to remove "svirt_sandbox_file_t" from openshift.local.volumes

Summary: Upgrade needs to remove "svirt_sandbox_file_t" from openshift.local.volumes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cluster Version Operator
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Scott Dodson
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Depends On:	1421738
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-11 17:14 UTC by Scott Dodson
Modified:	2017-08-16 19:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1421738
Environment:
Last Closed:	2017-08-10 05:23:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1716	0	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.6 RPM Release Advisory	2017-08-10 09:02:50 UTC

Description Scott Dodson 2017-05-11 17:14:41 UTC

+++ This bug was initially created as a clone of Bug #1421738 +++

Description of problem:
As card https://trello.com/c/BGFPBpeF rebased to 3.5, the label "svirt_sandbox_file_t" on /var/lib/origin/openshift.local.volumes/ is no longer necessary. need remove it make selinux more secure.

Version-Release number of selected component (if applicable):
openshift v3.5.0.19+199197c
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
Always

Steps to Reproduce:
1. Set ocp-3.5 env and on node check selinux context of '/var/lib/origin/openshift.local.volumes/'
[root@host-8-174-53 ~]# ls -ldZ /var/lib/origin/openshift.local.volumes/
drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 /var/lib/origin/openshift.local.volumes/

Actual results:


Expected results:
1. /var/lib/origin/openshift.local.volumes/ shouldn't have "svirt_sandbox_file_t" label

Additional info:

--- Additional comment from Eric Paris on 2017-02-13 14:25:56 EST ---

https://github.com/openshift/origin/pull/12942

Although I am going to call this 'upcoming release' and target 3.6. I am unwilling to destabalize 3.5 at this point when we've worked this way so long.

--- Additional comment from Derek Carr on 2017-03-29 10:07:32 EDT ---

we will fix this after the rebase lands.

--- Additional comment from Derek Carr on 2017-04-20 15:58:02 EDT ---

rebase not yet landed.

Comment 1 Scott Dodson 2017-05-11 17:17:33 UTC

This clone is to have the installer reset the context of /var/lib/origin/openshift.local.volumes during upgrades

https://github.com/openshift/openshift-ansible/pull/4165

Comment 5 Anping Li 2017-07-05 08:00:01 UTC

Verified and pass. The label is as following
[root@host3-ha-1 ~]# ls -laZ /var/lib/origin/openshift.local.volumes/
drwxr-x---. root root system_u:object_r:svirt_sandbox_file_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:var_lib_t:s0 ..
drwxr-x---. root root system_u:object_r:var_lib_t:s0   plugins
drwxr-x---. root root system_u:object_r:var_lib_t:s0   pods

Comment 7 errata-xmlrpc 2017-08-10 05:23:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716

Note You need to log in before you can comment on or make changes to this bug.