Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add aliases for container-selinux types #1316

Merged
merged 2 commits into from
Feb 12, 2021
Merged

add aliases for container-selinux types #1316

merged 2 commits into from
Feb 12, 2021

Conversation

bcressey
Copy link
Contributor

Issue number:
N/A

Description of changes:
This aliases container-selinux policy types such as spc_t to our own policy types.

That lets us drop one of the Kubernetes patches we've been carrying for a while, and makes it easier to port pod and task definitions from Amazon Linux to Bottlerocket.

Testing done:
Verified that a pod with spc_t set in its security context ended up running as control_t.

Confirmed that there were no warnings about an invalid container_file_t context with the Kubernetes patch reverted, which was what it was originally intended to fix per 2e111e3.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
selinux-policy: add aliases for container-selinux types
68cfdcf 
This define aliases for the corresponding types in the supplemental
container-selinux policy that's widely used.

These aliases allow pods and task definitions to specify labels such
as `spc_t` and have them also work on Bottlerocket.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
kubernetes: drop patch for kubelet plugins label
2e1fa38 
Now that we alias `container_file_t` to `local_t` in our policy, we
don't need this patch to avoid an invalid context warning.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
samuelkarp
samuelkarp approved these changes Feb 11, 2021
View reviewed changes
Copy link
Contributor

@samuelkarp samuelkarp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not 100% wild about this as now we've made our labels tied to the container-selinux labels, but it does provide a better experience for moving workloads to Bottlerocket.

@bcressey bcressey merged commit 7209733 into bottlerocket-os:develop Feb 12, 2021
@bcressey bcressey deleted the selinux-aliases branch February 12, 2021 04:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcressey @tjkirch @samuelkarp