Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

Store used MCS contexts on the filesystem #1742

Merged
merged 1 commit into from
Nov 23, 2015
Merged

Store used MCS contexts on the filesystem #1742

merged 1 commit into from
Nov 23, 2015

Conversation

mjg59
Copy link
Contributor

@mjg59 mjg59 commented Nov 13, 2015

In the absence of a long-running daemon, the current code that ensures that
SELinux contexts aren't reused makes no sense - it's simply keeping a map
of used contexts, which means independent instances of rkt aren't sharing
this list. Keep the contexts in the filesystem instead in order to avoid
this.

@mjg59 mjg59 mentioned this pull request Nov 13, 2015
Closed
vcaputo
vcaputo reviewed Nov 13, 2015
View reviewed changes
pkg/selinux/selinux.go
@@ -270,19 +269,31 @@ func SelinuxGetEnforceMode() int {
}

func mcsAdd(mcs string) error {
if mcsList[mcs] {
return fmt.Errorf("MCS Label already exists")
filename := fmt.Sprintf("%s/%s", "/run/rkt/", mcs)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a helper for constructing this path and use it throughout?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure

@iaguis iaguis added this to the v0.12.0 milestone Nov 16, 2015
iaguis
iaguis reviewed Nov 16, 2015
View reviewed changes
pkg/selinux/selinux.go
if os.IsExist(err) {
return fmt.Errorf("MCS Label already exists")
} else {
return fmt.Errorf("Unable to test MCS: %s", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Errors should be returned lower-cased. Also, some callers of this function are not checking them (maybe it's intended)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't use any of the other callers of this. ReserveLabel() is fine with failure, CopyLabel() is inherently racy and so we'll be avoiding it in any case.

alban
alban reviewed Nov 17, 2015
View reviewed changes
pkg/selinux/selinux.go
if mcsList[mcs] {
return fmt.Errorf("MCS Label already exists")
filename := mcsPath(mcs)
file, err := os.OpenFile(filename, os.O_CREATE|os.O_EXCL|os.O_RDONLY, 0644)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The directory /run/rkt seems to be created by metadata_service.go:unixListener() if the metadata service is used, but it might not exist otherwise.

Can you create the directory?

Actually, do all modern distributions set up a /run tmpfs? Or older distros like Centos 6.x (that we try to support, see #1443).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll now create the directory if it doesn't exist.

@vcaputo
Copy link
Contributor

vcaputo commented Nov 17, 2015

other than alban's concerns, lgtm

Store used MCS contexts on the filesystem
e1d3f4c 
In the absence of a long-running daemon, the current code that ensures that
SELinux contexts aren't reused makes no sense - it's simply keeping a map
of used contexts, which means independent instances of rkt aren't sharing
this list. Keep the contexts in the filesystem instead in order to avoid
this.
@mjg59
Copy link
Contributor Author

mjg59 commented Nov 20, 2015

I think I've answered @alban's concerns

@alban
Copy link
Member

alban commented Nov 23, 2015

LGTM

alban added a commit that referenced this pull request Nov 23, 2015
@alban
Merge pull request #1742 from mjg59/maintain_contexts
4c74601 
Store used MCS contexts on the filesystem
@alban alban merged commit 4c74601 into rkt:master Nov 23, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
area/security component/stage0 kind/bug needs/some-changes priority/P1
Projects
None yet
Milestone
v0.12.0
Development

Successfully merging this pull request may close these issues.
4 participants
@mjg59 @vcaputo @alban @iaguis