Description of problem: We used to set svirt_sandbox_file_t as selinux context type for volumes, i.e., for hostpath volumes. But documentation now does mention the following ([0]): """ The volume will be given a type which is accessible by unprivileged containers. This type is usually container_file_t, which treats volumes as container content. Previously, the label specified was svirt_sandbox_file_t. This label is no longer used due to security concerns. """ Even though when that context type is not included in the container-selinux we ship through rhel-7-server-extras-rpms repo: # semanage fcontext -a -t container_file_t "/test(/.*)?" ValueError: Type container_file_t is invalid, must be a file or device type # # rpm -qi docker container-selinux | grep -e Name -e Version -e Vendor Name : docker Version : 1.12.6 Vendor : Red Hat, Inc. Name : container-selinux Version : 2.33 Vendor : Red Hat, Inc. # [0] https://docs.openshift.com/container-platform/3.6/install_config/persistent_storage/pod_security_context.html#install-config-persistent-storage-pod-security-context Version-Release number of selected component (if applicable): How reproducible: OCP 3.6 Docker 1.12.6 Steps to Reproduce: 1. Install docker 1.12.6 from rhel-7-server-extras-rpms repo 2. try to set the context suggested in [0] # semanage fcontext -a -t container_file_t "/test(/.*)?" Actual results: ValueError: Type container_file_t is invalid, must be a file or device type Expected results: Context is successfully applied. Additional info: Tried with the version shipped by the Fedora repo and the context is indeed there.
container_file_t is not defined in RHEL yet, hopefully it will be as of rhel7.5. svirt_sandbox_file_t is the equivalent. In Fedora you can use either name since they are aliased.
Would have been nice if this would have been aliased in RHEL as well, as now we need ugly hacks in our Ansible playbooks to maintain compatibility with RHEL7.4 and RHEL7.5.
It is aliased, you can use the old name svirt_lxc_net_t on 7.4 and 7.5. The new name container_t only works on 7.5
(In reply to Daniel Walsh from comment #4) > It is aliased, you can use the old name svirt_lxc_net_t on 7.4 and 7.5. The > new name container_t only works on 7.5 I am confused right now. This bug is about svirt_sandbox_file_t (7.4) vs container_file_t (7.5), not svirt_lxc_net_t?
Sorry, container_file_t is aliased to svirt_sandbox_file_t,also. So if you use svirt_sandbox_file_t on both 7.4 and 7.5 it will work. container_file_t will only work on 7.5.
Unfortunately it doesn't on 7.5: [root@tme-5238 ~]# yum list installed container-selinux Loaded plugins: product-id, search-disabled-repos, subscription-manager Installed Packages container-selinux.noarch 2:2.55-1.el7 @rhel-7-server-extras-rpms [root@tme-5238 ~]# semanage fcontext -a -t svirt_sandbox_file_t "/mnt/data/docker(/.*)?" ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
I have to second that, freshly built systems 7.5 can not set the fcontext to svrit_sandbox_file_t, they only have container_file_t, while systems that have been upgraded from 7.4 to 7.5 retain both fcontext. What is the path forward on this, it seems that we have lost backwards compatibility on new installs.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days