mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-11-30 15:02:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
flatcar-scripts/sdk_container
History
Mathieu Tortuyaux 5c25c3835c sec-policy/selinux-base-policy: add capability to unlabeled_t 
with this patch, we allow `unlabeled_t` to associate to tmpfs
filesystem.
It aims to solve the AVC we have with `torcx` with the
`torcx-generator`:
```
Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
```

It has been not been caught earlier because it occurs
when the system boots with `SELinux` in `enforcing` mode.

This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
2021-11-18 16:56:55 +01:00
..
src/third_party/coreos-overlay
sec-policy/selinux-base-policy: add capability to unlabeled_t
2021-11-18 16:56:55 +01:00