On Mon, Jun 27, 2016, at 05:04 AM, Miroslav Grepl wrote:
> So we could start to discuss how it is possible to ship new policy on
> Atomic to solve these urgent issues.
As far as I see, the mac_admin issue (and the missing domain transition from
init_t for install_exec_t) has nothing to do with a reduction in policy
size/scope, right? rpm-ostree just needs the same abilities granted rpm
(yum/dnf) and notably PackageKit (which has been a daemon forever). Hopefully
this latest policy update will be the last time it breaks (at least before we
figure out how to put a regression test for this in between bodhi and the tree
updates).
Anyways, this leads to my biggest concern with having any separate policy - all
of a sudden the labels and documentation that people will use when doing Docker
on Atomic Host are different from what one gets if one just `yum install
docker` on Fedora Server|Workstation, and it means we need separate testing too.
I use docker on Fedora Workstation[1] myself.
I have trouble imagining the pain of carrying that delta is going to be worth
the benefit...
> Can you think guys about a way how to do it?
Mechanically, it's pretty easy to try it out:
diff --git a/fedora-atomic-docker-host.json b/fedora-atomic-docker-host.json
index 70a1e41..722281d 100644
--- a/fedora-atomic-docker-host.json
+++ b/fedora-atomic-docker-host.json
@@ -1,7 +1,7 @@
{
"ref": "fedora-atomic/24/x86_64/docker-host",
- "repos": ["fedora-24"],
+ "repos": ["fedora-24", "mgrepl-seatomic"],
"selinux": true,
@@ -50,7 +50,7 @@
"sos",
"openssh-clients", "openssh-server", "passwd", "plymouth",
"policycoreutils", "procps-ng", "rootfiles", "rpm",
- "selinux-policy-targeted", "setup", "shadow-utils",
+ "selinux-policy-atomic", "setup", "shadow-utils",
"sudo", "systemd", "util-linux", "vim-minimal",
"less",
"tar",
Looks like docker-selinux fails to compile:
Failed to resolve 'object_r' in roletype statement at line 2 of
/var/lib/selinux/targeted/tmp/modules/400/docker/cil
(Because this is rpm the %post isn't fatal and we continue, but going beyond
experimentation
then we'd have to have docker-selinux-atomic or figure out how to have the
existing
policy package somehow conditional)
Finally though it does error out with:
error: With policy root '/proc/self/fd/16/usr/etc/selinux':
selabel_open(SELABEL_CTX_FILE): No such file or directory
Which appears to be because:
# grep SELINUXTYPE /var/tmp/rpm-ostree.work/rootfs.tmp/etc/selinux/config
SELINUXTYPE=targeted
Which should be easy to fix but again I'm currently very uncertain about the
value proposition here. I think a redesign of the policy would need to cover
more of Fedora than just Atomic Host. (For example, what about
https://fedoraproject.org/wiki/Changes/WorkstationOstree )
[1] Actually on https://ci.centos.org/job/atomic-fedora-ws/ which is similar to
the above except I included docker
