-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable container_manage_cgroup
SELinux boolean by default
#397
Comments
For Coreos, this needs to be on by default since it can not be permanently enabled on the system.
This would work now. Note no |
Doesn't cgroup v2 avoid the need for this? What are the security implications of setting this? |
No cgroup V2 does not fix this sadly. I have to get back to the upstream developers to see if anyone has made progress. This basically means from an SELinux point of view. containers can modify the cgroup file system if they can get to it. |
I'm +1 as I already needed to do this for one of my servers.. Here's a comment with the unit I used: #368 (comment) |
It looks like the security implications are described in a little more detail here: https://bugzilla.redhat.com/show_bug.cgi?id=1806038#c8 In light of that I'm rethinking my earlier +1 here. |
This was discussed in today's community meeting:
|
I am looking into adding a type for running systemd based containers. The question would be whether or not we want to force users to figure out the label, or just add this to the selinux stack. |
@rhatdan - sent you an email to try to coordinate a time to discuss this. @jlebon - so the remaining step is to add documentation for now. We'll consider coreos/fedora-coreos-config#291 and then add documentation after that is considered. |
@rhatdan i checked "container_manage_cgroup" for my container- |
If SELinux is disabled on the host, then this will not effect anything. |
@harshblog150 Also, I think you need to run those commands directly on the host itself. Here is an example of automating it: #368 (comment) |
The |
This is no longer needed. See: coreos/fedora-coreos-tracker#397 (comment)
This is no longer needed. See: coreos/fedora-coreos-tracker#397 (comment)
This is no longer needed. See: coreos/fedora-coreos-tracker#397 (comment)
This is no longer needed. See: coreos/fedora-coreos-tracker#397 (comment)
Currently, if users want to run a container with
systemd
started inside of the container, they need to enable thecontainer_manage_cgroup
SELinux boolean on their host.And because the ergonomics of configuring a persistent SELinux policy change are not great on FCOS, this seems like a use case we would like to enable for users out of the box.
The text was updated successfully, but these errors were encountered: