github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #35127 from pmorie/selinux-overhaul 

Automatic merge from submit-queue

Amendments to SELinux enhancement proposal

Makes some changes to the proposal from #33951 based on some further research.
pull/6/head
Kubernetes Submit Queue 2016-10-24 14:23:09 -07:00 committed by GitHub
parent 4fbbc746a0 0770dcdc2d
commit dfe801de10
1 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/proposals/selinux-enhancements.md
View File

@ -174,9 +174,8 @@ Using the host IPC and PID namespaces is not currently supported by rkt.
2. The `SelinuxContextRunner` interface should be renamed to `SELinuxRunner`
and be changed to have the same method names and signatures as the
libcontainer methods its implementations wrap
3. The `SELinuxRunner` interface should have a new method added called
`GetLxcContexts`; this should return a **shared** (ie, without MCS labels)
SELinux context usable by a container
3. The `SELinuxRunner` interface only needs `Getfilecon`, which is used by
the rkt code
```go
package selinux
@ -191,17 +190,9 @@ package selinux
//
// https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go
type SELinuxRunner interface {
// Setfilecon sets the SELinux context for the given path or returns an
// error.
Setfilecon(path, context string) error
// Getfilecon returns the SELinux context for the given path or returns an
// error.
Getfilecon(path string) (string, error)
// GetLxcContexts returns the process and file SELinux contexts to use for
// containers.
GetLxcContexts() (string, string)
}
```
@ -233,9 +224,9 @@ ensure things work as expected under rkt.
1. The `VolumeHost` interface contains a method called `GetRootContext`; this
is an artifact of the old assumptions about the Kubelet directory's SELinux
context and can be removed
2. The `empty_dir.go` file should be changed to create an `SELinuxRunner` and
call its `GetLxcContexts` method to determine the right SELinux context to
give `tmpfs` mounts
2. The `empty_dir.go` file should be changed to be completely agnostic of
SELinux; no behavior in this plugin needs to be differentiated when SELinux
is enabled
### Changes to `pkg/controller/...`