Docker SELinux policy should more closely match upstream #2231
Comments
|
On looking at it a bit, it seems container-selinux just gives policy for containers, so it seems the host policy and admin tools that come from the gentoo selinux packages are still needed. I guess we would need to disable/remove any container support in the gentoo policy packages we use. Here is the RPM spec file that shows package dependencies: We would need to look at what programs, libs, etc. those fedora packages provide and match that up to gentoo packages. |
|
Just to mention it, I have a work-in-progress patch, |
|
Thank you for reporting this issue. Unfortunately, we don't think we'll end up addressing it in Container Linux. We're now working on Fedora CoreOS, the successor to Container Linux, and we expect most major development to occur there instead. Meanwhile, Container Linux will be fully maintained into 2020 but won't see many new features. We appreciate your taking the time to report this issue and we're sorry that we won't be able to address it. |
Feature Request
Currently, Container Linux ships with a stripped down version of gentoo's patches to the refpolicy.
Unfortunately, Container Linux hasn't really kept up with gentoo nor the refpolicy, and furthermore the refpolicy has not kept up with how Docker uses SELinux these days.
Gentoo's policy still uses svirt_t for containers. Docker has moved to recommending container_t, and all current versions of fedora have moved to it as well. See moby/moby#32437 for some info docker side.
For fedora's move, see fedora-selinux/selinux-policy#187.
Using this more modern selinux policy will make it easier to use SELinux on Container Linux.
This might fix #2125, among other issues in our bugtracker.
The text was updated successfully, but these errors were encountered: