[RFE] Enforce SELinux on all Mantle tests #1186
Labels
Comments
tormath1
added
kind/feature
github-project-automation
bot
moved this to 📝 Needs Triage
in Flatcar tactical, release planning, and roadmap
1 task
tormath1
changed the title
I would say: "enforced from Ignition". Currently it's switched on after the instance booted and this is not what users would do, they would rather enable it from Ignition and of course also have this setting persist over reboots. We don't test this currently and while we can catch a few issues, this test setup makes little sense for the real world. |
|
@pothos correct, as already attempted here: flatcar/mantle#252 but I think we can already solve the remaining tests mentioned above and then see what's missing (relabeling) before enabling tests from Ignition/kargs |
dongsupark
moved this from 📝 Needs Triage
to 🪵Backlog
in Flatcar tactical, release planning, and roadmap
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current situation
Now the SELinux container policy is about to land on Alpha, let's investigate on the tests with permissive SELinux and see what's missing to switch to enforce mode.
Ideal future situation
All the tests are running with SELinux enforced.
Implementation options
Here's the current list:
bpf.execsnoopbpf.local-gadgetdevcontainer.dockerkubeadm.*.flannel.base(Flannel >= 0.17.0 is crashing with enforced SELinux #779 and Kube Flannel (> 0.14.1) does not start in SELinux enforcing mode #635)cl.misc.nvidiacl.misc.falco(when selinux is enforcing unsigned kernel modules can't be loaded #783)Additional information
To proceed:
The text was updated successfully, but these errors were encountered: