On 07/10/2017 04:25 AM, ascanio.al...@gmail.com wrote:
Ooops - that should read
"Currently it does not work with SELinux: it installs a host mount from
/var/lib/romana inside the pod without a transition."
romana devs ask: "adding those three lines (to) romana-services and romana-agent
would fix it, but is it better to be more specific?
(spc = super-privileged container. happy to go with spc_t if there's no other
suggestion)"
The "three lines" refers to what kubeadm's etcd pod uses, viz.,
securityContext:
seLinuxOptions:
type: spc_t
Any advice is greatly appreciated.
Anthony
If you label the content in /var/lib/romana as Container content, then
this should work fine without spc_t. Allowing confinement with SELinux.
Not sure if kubeadmin allows you to force the relabel automatically
yet. In docker this is done with
-v /var/lib/romana:/var/lib/romana:Z
This would cause the container runtime to label /var/lib/romana on the
host correctly.
You could do this manually by executing
chcon -Rt svirt_sandbox_file_t /var/lib/romana
On the host. This second option sets the label to a shared label, which
would allow the romana container to run with SELinux confinement. But it
is not as good as the first option, since this label could be
read/written by other containers if they can gain access.
