Fix relabeling failures with Z/z volumes on Mac #22290
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: n1hility The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
LGTM |
n1hility
force-pushed
the
fix-z-mac
branch
3 times, most recently
from
8248729 to
669b8ed
Compare
|
/cherry-pick v5.0 |
|
@n1hility: once the present PR merges, I will cherry-pick it on top of v5.0 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
n1hility
force-pushed
the
fix-z-mac
branch
3 times, most recently
from
a8d729f to
6b2e5fe
Compare
Non-Linux systems, such as BSD kernels, constrain xatter updates according to file permissions. This is in contrast to Linux selinux attr writes, which are governed by an selinux policy. By dafault this policy apllows users to relabel files owned by themselves even if file perms would otherwise disallow write. This results in robust container relabeling results on Linux, and fragile results everywhere else. Therefore, change the mac policy to force the nfs_t context on all files, and ignore all relabel events. As a side-effect, this will disallow any ability to store custom selinux constants on files. However, this is of limited use in a machine context, since files in these volumes are externally managed on systems which do not support SELinux. Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
|
LGTM, but I would like confirmation from someone more familiar with the Mac side before merge. |
|
/lgtm |
|
@n1hility: new pull request created: #22321 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
stale-locking-app
bot
added
the
locked - please file new issue/PR
Fixes #19852
Non-Linux systems, such as BSD derived kernels, constrain selinux xatter updates according to file permissions. This is in contrast to Linux selinux attr writes, which are governed by an selinux policy. By dafault this policy apllows users to relabel files owned by themselves even if file perms would otherwise disallow write.
This results in robust container relabeling results on Linux, and fragile results everywhere else. Therefore, change the mac policy to force the nfs_t context on all files, and ignore all relabel events.
As a side-effect, this will disallow any ability to store custom selinux contexts on files. However, this is of limited use in a machine context with host volumes, since files in these volumes are externally managed on systems which do not support SELinux.