Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: configure SELinux labels for Docker volumes #6055

Merged
merged 2 commits into from
Jun 29, 2023
Merged

build: configure SELinux labels for Docker volumes #6055

merged 2 commits into from
Jun 29, 2023

Conversation

zregvart
Copy link
Contributor

Why the changes in this PR are needed?

When SELinux is enforced the mounted volumes to spun Docker containers are not writable unless the :z or :Z flag is set[1].

This opts not to share the mounts by using :Z.

What are the changes in this PR?

The :Z flag is set for Docker volume mounts.

Notes to assist PR review:

Fixes #6054

Further comments:

[1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

@zregvart
build: configure SELinux labels for Docker volumes
ec98123 
When SELinux is enforced the mounted volumes to spun Docker containers
are not writable unless the `:z` or `:Z` flag is set[1].

This opts not to share the mounts by using `:Z`.

[1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

Fixes open-policy-agent#6054

Signed-off-by: Zoran Regvart <[email protected]>
@netlify
Copy link

netlify bot commented Jun 28, 2023
edited
Loading

Deploy Preview for openpolicyagent ready!

Name Link
🔨 Latest commit 1876c61
🔍 Latest deploy log https://app.netlify.com/sites/openpolicyagent/deploys/649d4913b1f7d5000811dd46
😎 Deploy Preview https://deploy-preview-6055--openpolicyagent.netlify.app/docs/edge/management-discovery
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

srenatus
srenatus approved these changes Jun 28, 2023
View reviewed changes
Copy link
Contributor

@srenatus srenatus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@ashutosh-narkar
Copy link
Member

@zregvart thanks for the contribution. Have we verified this works on SELinux enabled and disabled systems?

@johanfylling johanfylling merged commit a50c134 into open-policy-agent:main Jun 29, 2023
@zregvart
Copy link
Contributor Author

@zregvart thanks for the contribution. Have we verified this works on SELinux enabled and disabled systems?

Thanks for the comment, I wanted to record a session with and without SELinux enforcement and I found two additional places that needed the labeling. I'll create a followup PR shortly.

I also run Fedora Linux which has SELinux enforced by default, and I expect GitHub Linux worker nodes do not run with SELinux enforced.

@zregvart zregvart mentioned this pull request Jun 29, 2023
Merged
@zregvart zregvart deleted the issue/6054 branch June 29, 2023 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srenatus srenatus srenatus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Building OPA with SELinux enforced
4 participants
@zregvart @ashutosh-narkar @srenatus @johanfylling