flatcar-scripts

mirror of https://github.com/flatcar/scripts.git synced 2025-08-17 01:46:58 +02:00

History

Mathieu Tortuyaux 5c25c3835c sec-policy/selinux-base-policy: add capability to unlabeled_t with this patch, we allow `unlabeled_t` to associate to tmpfs filesystem. It aims to solve the AVC we have with `torcx` with the `torcx-generator`: ``` Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 ``` It has been not been caught earlier because it occurs when the system boots with `SELinux` in `enforcing` mode. This denial was preventing torcx to finish correctly its setup and so Docker was not able to start. Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>	2021-11-18 16:56:55 +01:00
..
src/third_party/coreos-overlay	sec-policy/selinux-base-policy: add capability to unlabeled_t	2021-11-18 16:56:55 +01:00

Mathieu Tortuyaux 5c25c3835c sec-policy/selinux-base-policy: add capability to unlabeled_t

with this patch, we allow `unlabeled_t` to associate to tmpfs
filesystem.
It aims to solve the AVC we have with `torcx` with the
`torcx-generator`:
```
Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
```

It has been not been caught earlier because it occurs
when the system boots with `SELinux` in `enforcing` mode.

This denial was preventing torcx to finish correctly its setup and so
Docker was not able to start.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

2021-11-18 16:56:55 +01:00

src/third_party/coreos-overlay

sec-policy/selinux-base-policy: add capability to unlabeled_t

2021-11-18 16:56:55 +01:00