New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add podman rules for OpenStack #18

Merged
merged 1 commit into from Oct 1, 2018

Conversation

Projects
None yet
5 participants
@cjeanner
Contributor

cjeanner commented Sep 11, 2018

Currently, services with container_t flag cannot access some of the
host content, such as the certificates (cert_t) and OpenVSwitch socket
(openvswitch_t socket).

This patch correct that situation.

@rhatdan

This comment has been minimized.

Show comment
Hide comment
@rhatdan

rhatdan Sep 11, 2018

Contributor

This policy will work much better.

policy_module(os-podman, 1.0)
gen_require(`
        type container_t;
')
#============= container_t ==============
miscfiles_read_generic_certs(container_t)
openvswitch_stream_connect(container_t)
Contributor

rhatdan commented Sep 11, 2018

This policy will work much better.

policy_module(os-podman, 1.0)
gen_require(`
        type container_t;
')
#============= container_t ==============
miscfiles_read_generic_certs(container_t)
openvswitch_stream_connect(container_t)
@rhatdan

This comment has been minimized.

Show comment
Hide comment
@rhatdan

rhatdan Sep 11, 2018

Contributor

@wrabcak FYI

Contributor

rhatdan commented Sep 11, 2018

@wrabcak FYI

@cjeanner

This comment has been minimized.

Show comment
Hide comment
@cjeanner

cjeanner Sep 11, 2018

Contributor

oh, so there are some kind of "macro" already existing - great! I'll update the patch.

Contributor

cjeanner commented Sep 11, 2018

oh, so there are some kind of "macro" already existing - great! I'll update the patch.

Add podman rules for OpenStack
Currently, services with container_t flag cannot access some of the
host content, such as the certificates (cert_t) and OpenVSwitch socket
(openvswitch_t socket).

This patch correct that situation.
@wrabcak

This comment has been minimized.

Show comment
Hide comment
@wrabcak

wrabcak Sep 11, 2018

Contributor

Yeah, after change based on comment by Dan, it's OK right now.

LGTM

Contributor

wrabcak commented Sep 11, 2018

Yeah, after change based on comment by Dan, it's OK right now.

LGTM

@JAORMX

JAORMX approved these changes Sep 14, 2018

@cjeanner

This comment has been minimized.

Show comment
Hide comment
@cjeanner

cjeanner Sep 26, 2018

Contributor

Hello there,
Any ETA for the merge? We will really need that patch (and a release with it) :).

Thank you!

Cheers,

C.

Contributor

cjeanner commented Sep 26, 2018

Hello there,
Any ETA for the merge? We will really need that patch (and a release with it) :).

Thank you!

Cheers,

C.

@cjeanner

This comment has been minimized.

Show comment
Hide comment
@cjeanner

cjeanner Sep 28, 2018

Contributor

Hello @wrabcak @lhh @rhatdan ,

Would it be possible to get that one merged soon? We really need that change in order to go forward with the podman integration :).

Thank you!

Contributor

cjeanner commented Sep 28, 2018

Hello @wrabcak @lhh @rhatdan ,

Would it be possible to get that one merged soon? We really need that change in order to go forward with the podman integration :).

Thank you!

@lhh lhh merged commit 42045c1 into redhat-openstack:master Oct 1, 2018

@lhh

This comment has been minimized.

Show comment
Hide comment
@lhh

lhh Oct 1, 2018

Member

These are merged, however, they belong in openvswitch-selinux-extra-policy long-term.

Member

lhh commented Oct 1, 2018

These are merged, however, they belong in openvswitch-selinux-extra-policy long-term.

@lhh

This comment has been minimized.

Show comment
Hide comment
@lhh

This comment has been minimized.

Show comment
Hide comment
@lhh

lhh Oct 1, 2018

Member

(Also, my apologies for the delay)

Member

lhh commented Oct 1, 2018

(Also, my apologies for the delay)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment