Page MenuHomeDevCentral
Create Task
Maniphest T1418

Review SELinux context for Docker containers
Closed, ResolvedPublic
Actions

Description

First, svirt_sandbox_file_t is superseded by container_t

But more importantly, the following Salt block fails on Equatower:

selinux_context_etherpad_data:
  selinux.fcontext_policy_present:
    - name: /srv/etherpad
    - sel_type: svirt_sandbox_file_t

selinux_context_etherpad_data_applied:
  selinux.fcontext_policy_applied:
    - name: /srv/etherpad

Revisions and Commits

rOPS Nasqueron Operations
D1743rOPS8c08bbe3a2c5 Supersede svirt_sandbox_file_t by container_file_t

Event Timeline

dereckson triaged this task as Normal priority.Sep 10 2018, 11:06
dereckson created this task.

But see also https://github.com/saltstack/salt/issues/45825

dereckson added a comment.Sep 11 2018, 10:36

Use the new container_file_t solves the issue:

Equatower
$ semanage fcontext -a -t svirt_sandbox_file_t /srv/pad                                                                              
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
$ semanage fcontext -a -t container_file_t /srv/pad
(no error)
dereckson added a revision: D1743: Supersede svirt_sandbox_file_t by container_file_t.Sep 12 2018, 12:53
dereckson claimed this task.Sep 12 2018, 12:53
dereckson added a comment.Sep 12 2018, 12:55
$ salt equatower state.apply roles/paas-docker/containers/jenkins
----------
          ID: selinux_context_jenkins_home
    Function: selinux.fcontext_policy_present
        Name: /srv/jenkins/cd/jenkins_home
      Result: True
     Comment: 
     Started: 12:54:16.919480
    Duration: 4048.744 ms
     Changes:   
              ----------
              new:
                  ----------
                  /srv/jenkins/cd/jenkins_home:
                      ----------
                      filetype:
                          all files
                      sel_type:
                          container_file_t
              old:
                  ----------
----------
dereckson closed this task as Resolved by committing rOPS8c08bbe3a2c5: Supersede svirt_sandbox_file_t by container_file_t.Sep 12 2018, 12:57
dereckson added a commit: rOPS8c08bbe3a2c5: Supersede svirt_sandbox_file_t by container_file_t.
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator