This repository has been archived by the owner on Feb 7, 2023. It is now read-only.
Special case Fedora 26 selinux context for /usr/bin/docker-storage-setup #133
Labels
Comments
|
Additional comments from Dan in #atomic: "We had a label of docker* for files, which is why it was container_runtime_exec_t, now it is a lnk_file so it defaults back to bin_t, but neither has any effect" |
miabbott
added a commit
to miabbott/atomic-host-tests
that referenced
this issue
Apr 20, 2017
This changes how the `selinux_verify` role will check the SELinux file and process labels. The main improvement is the ability to create distro-specific checks of the labels. Instead of one master file that contains all the files and processes we want to check, there is now two locations where this information is defined. There is a 'common' file that contains the files/processes that can be found on all supported streams. And there are distro-specific (per major-release) files that define files/processes that which don't land in the 'common' set. This brings in great flexibility for supporting new versions of streams, as well as the ability to expand the files/processes we want to check. This change also does away with the complexity of the `with_subelements` method that was used before and uses `with_items` which is easier to understand. The drawback to this approach is some duplication of key/values, but I think the overall gain is worth it. Closes projectatomic#133
mike-nguyen
pushed a commit
that referenced
this issue
Apr 21, 2017
This changes how the `selinux_verify` role will check the SELinux file and process labels. The main improvement is the ability to create distro-specific checks of the labels. Instead of one master file that contains all the files and processes we want to check, there is now two locations where this information is defined. There is a 'common' file that contains the files/processes that can be found on all supported streams. And there are distro-specific (per major-release) files that define files/processes that which don't land in the 'common' set. This brings in great flexibility for supporting new versions of streams, as well as the ability to expand the files/processes we want to check. This change also does away with the complexity of the `with_subelements` method that was used before and uses `with_items` which is easier to understand. The drawback to this approach is some duplication of key/values, but I think the overall gain is worth it. Closes #133
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Container-storage-setup is used in F26 which makes /usr/bin/docker-storage-setup a symlink with the selinux context of system_u:object_r:bin_t:s0. Dan Walsh said "docker-storage-setup is a symbolic link to container-storage-setup So bin_t is fine."
The selinux_verify role currently checks for container_runtime_exec_t so there needs to be a special case for Fedora 26.
The text was updated successfully, but these errors were encountered: