Skip to content

Commit

Permalink
Amendments to SELinux enhancement proposal
Browse files Browse the repository at this point in the history
  • Loading branch information
@pmorie
pmorie committed Oct 19, 2016
1 parent be1996e commit 0770dcd
Showing 1 changed file with 5 additions and 14 deletions.
19 changes: 5 additions & 14 deletions docs/proposals/selinux-enhancements.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,9 +174,8 @@ Using the host IPC and PID namespaces is not currently supported by rkt.
2. The `SelinuxContextRunner` interface should be renamed to `SELinuxRunner`
and be changed to have the same method names and signatures as the
libcontainer methods its implementations wrap
3. The `SELinuxRunner` interface should have a new method added called
`GetLxcContexts`; this should return a **shared** (ie, without MCS labels)
SELinux context usable by a container
3. The `SELinuxRunner` interface only needs `Getfilecon`, which is used by
the rkt code

```go
package selinux
Expand All @@ -191,17 +190,9 @@ package selinux
//
// https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go
type SELinuxRunner interface {
// Setfilecon sets the SELinux context for the given path or returns an
// error.
Setfilecon(path, context string) error

// Getfilecon returns the SELinux context for the given path or returns an
// error.
Getfilecon(path string) (string, error)

// GetLxcContexts returns the process and file SELinux contexts to use for
// containers.
GetLxcContexts() (string, string)
}
```

Expand Down Expand Up @@ -233,9 +224,9 @@ ensure things work as expected under rkt.
1. The `VolumeHost` interface contains a method called `GetRootContext`; this
is an artifact of the old assumptions about the Kubelet directory's SELinux
context and can be removed
2. The `empty_dir.go` file should be changed to create an `SELinuxRunner` and
call its `GetLxcContexts` method to determine the right SELinux context to
give `tmpfs` mounts
2. The `empty_dir.go` file should be changed to be completely agnostic of
SELinux; no behavior in this plugin needs to be differentiated when SELinux
is enabled

### Changes to `pkg/controller/...`

Expand Down

0 comments on commit 0770dcd

Please sign in to comment.