diff options
| author | Paul Morie <pmorie@redhat.com> | 2016-10-19 11:01:01 -0400 |
|---|---|---|
| committer | Paul Morie <pmorie@redhat.com> | 2016-10-19 11:01:01 -0400 |
| commit | a4704d5519a11a2c540976fb38febe871077efda (patch) | |
| tree | d6d76a70341145baba922fa2d7193387eae50421 | |
| parent | ab6165b638388bf8636eceb279052b8bce62ffcb (diff) | |
Amendments to SELinux enhancement proposal
| -rw-r--r-- | selinux-enhancements.md | 19 |
1 files changed, 5 insertions, 14 deletions
diff --git a/selinux-enhancements.md b/selinux-enhancements.md index e9d153f6..e4afa4a7 100644 --- a/selinux-enhancements.md +++ b/selinux-enhancements.md @@ -174,9 +174,8 @@ Using the host IPC and PID namespaces is not currently supported by rkt. 2. The `SelinuxContextRunner` interface should be renamed to `SELinuxRunner` and be changed to have the same method names and signatures as the libcontainer methods its implementations wrap -3. The `SELinuxRunner` interface should have a new method added called - `GetLxcContexts`; this should return a **shared** (ie, without MCS labels) - SELinux context usable by a container +3. The `SELinuxRunner` interface only needs `Getfilecon`, which is used by + the rkt code ```go package selinux @@ -191,17 +190,9 @@ package selinux // // https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go type SELinuxRunner interface { - // Setfilecon sets the SELinux context for the given path or returns an - // error. - Setfilecon(path, context string) error - // Getfilecon returns the SELinux context for the given path or returns an // error. Getfilecon(path string) (string, error) - - // GetLxcContexts returns the process and file SELinux contexts to use for - // containers. - GetLxcContexts() (string, string) } ``` @@ -233,9 +224,9 @@ ensure things work as expected under rkt. 1. The `VolumeHost` interface contains a method called `GetRootContext`; this is an artifact of the old assumptions about the Kubelet directory's SELinux context and can be removed -2. The `empty_dir.go` file should be changed to create an `SELinuxRunner` and - call its `GetLxcContexts` method to determine the right SELinux context to - give `tmpfs` mounts +2. The `empty_dir.go` file should be changed to be completely agnostic of + SELinux; no behavior in this plugin needs to be differentiated when SELinux + is enabled ### Changes to `pkg/controller/...` |