github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-02 00:07:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #35127 from pmorie/selinux-overhaul

Browse Source 
Automatic merge from submit-queue

Amendments to SELinux enhancement proposal

Makes some changes to the proposal from #33951 based on some further research.
This commit is contained in:
Kubernetes Submit Queue 2016-10-24 14:23:09 -07:00 committed by GitHub
commit dfe801de10
1 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/proposals/selinux-enhancements.md
View File

@ -174,9 +174,8 @@ Using the host IPC and PID namespaces is not currently supported by rkt.
2. The `SelinuxContextRunner` interface should be renamed to `SELinuxRunner` 2. The `SelinuxContextRunner` interface should be renamed to `SELinuxRunner`
and be changed to have the same method names and signatures as the and be changed to have the same method names and signatures as the
libcontainer methods its implementations wrap libcontainer methods its implementations wrap
3. The `SELinuxRunner` interface should have a new method added called 3. The `SELinuxRunner` interface only needs `Getfilecon`, which is used by
`GetLxcContexts`; this should return a **shared** (ie, without MCS labels) the rkt code
SELinux context usable by a container
```go ```go
package selinux package selinux
@ -191,17 +190,9 @@ package selinux
// //
// https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go // https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go
type SELinuxRunner interface { type SELinuxRunner interface {
// Setfilecon sets the SELinux context for the given path or returns an
// error.
Setfilecon(path, context string) error
// Getfilecon returns the SELinux context for the given path or returns an // Getfilecon returns the SELinux context for the given path or returns an
// error. // error.
Getfilecon(path string) (string, error) Getfilecon(path string) (string, error)
// GetLxcContexts returns the process and file SELinux contexts to use for
// containers.
GetLxcContexts() (string, string)
} }
``` ```
@ -233,9 +224,9 @@ ensure things work as expected under rkt.
1. The `VolumeHost` interface contains a method called `GetRootContext`; this 1. The `VolumeHost` interface contains a method called `GetRootContext`; this
is an artifact of the old assumptions about the Kubelet directory's SELinux is an artifact of the old assumptions about the Kubelet directory's SELinux
context and can be removed context and can be removed
2. The `empty_dir.go` file should be changed to create an `SELinuxRunner` and 2. The `empty_dir.go` file should be changed to be completely agnostic of
call its `GetLxcContexts` method to determine the right SELinux context to SELinux; no behavior in this plugin needs to be differentiated when SELinux
give `tmpfs` mounts is enabled
### Changes to `pkg/controller/...` ### Changes to `pkg/controller/...`