Skip to content

Switch to using opencontainers/selinux for selinux bindings#32687

Merged
vdemeester merged 1 commit intomoby:masterfrom
runcom:oci-selinux
Apr 29, 2017
Merged

Switch to using opencontainers/selinux for selinux bindings#32687
vdemeester merged 1 commit intomoby:masterfrom
runcom:oci-selinux

Conversation

@runcom
Copy link
Member

@runcom runcom commented Apr 18, 2017

Carry of #32011, hopefully tests are green here.

@cpuguy83 @thaJeztah @vdemeester @rhatdan PTAL

Signed-off-by: Antonio Murdaca [email protected]

@runcom runcom mentioned this pull request Apr 18, 2017
Closed
@runcom
Copy link
Member Author

runcom commented Apr 24, 2017

Ping anyone, why aren't tests running for this PR?

TomSweeneyRedHat
TomSweeneyRedHat reviewed Apr 24, 2017
View reviewed changes
vendor/github.com/opencontainers/selinux/go-selinux/selinux.go Outdated
Copy link
Contributor

@TomSweeneyRedHat TomSweeneyRedHat Apr 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filecon to FileLabel in this comment.

Copy link
Member Author

@runcom runcom Apr 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch, could you open a PR to fix this in opencontainers/selinux?

cpuguy83
cpuguy83 requested changes Apr 24, 2017
View reviewed changes
Copy link
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should make any changes until we have a strongly-typed object for handing off selinux context from the daemon.

For instance in swarm we use this:

moby/api/types/swarm/container.go

Line 25 in 091b5e6

type SELinuxContext struct {

vendor/github.com/opencontainers/selinux/go-selinux/selinux.go Outdated
Copy link
Member

@cpuguy83 cpuguy83 Apr 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change seems like it's going to break stuff.
Why the change?

Definitely breaking https://github.com/moby/moby/blob/master/daemon/cluster/executor/container/container.go#L624

Copy link
Member Author

@runcom runcom Apr 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpuguy83 selinux hasn't any notion of label= prefixed labels. The label is just the label, not label=label <- this is something docker did afacit, nothing related to selinux /cc @rhatdan

Copy link
Contributor

@rhatdan rhatdan Apr 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

label should not be in any SELinux specific section. this should be in the label section but not in the selinux specific section.

@runcom
Copy link
Member Author

runcom commented Apr 24, 2017

I don't think we should make any changes until we have a strongly-typed object for handing off selinux context from the daemon.

I don't understand....this change is super-transparent and what you're saying can be postponed for sure, in the mean time we'll switch to OCI/selinux since there's no libcontainer/selinux anymore. If something happen to be incorrect we'll fix OCI/selinux directly that way...

@cpuguy83
Copy link
Member

cpuguy83 commented Apr 24, 2017

Ok I see you've got this label conversion happening in Docker now. That's fine.
I'll open an issue to discuss a strong type that we can convert to to make sure this kind of stuff is checked at compile time.

Will need to do some manual testing on this just to make sure we're not breaking anything (seems ok, but just want to be sure).

cpuguy83
cpuguy83 approved these changes Apr 26, 2017
View reviewed changes
Copy link
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@runcom
Copy link
Member Author

runcom commented Apr 26, 2017

everything green 💚

vdemeester
vdemeester approved these changes Apr 29, 2017
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@vdemeester vdemeester merged commit 4219156 into moby:master Apr 29, 2017
@GordonTheTurtle GordonTheTurtle added this to the 17.06.0 milestone Apr 29, 2017
@runcom runcom deleted the oci-selinux branch April 29, 2017 17:58
@kolyshkin kolyshkin mentioned this pull request May 2, 2020
Merged
kolyshkin pushed a commit to kolyshkin/moby that referenced this pull request May 4, 2020
@fabiokung @kolyshkin
only Daemon.load needs to call label.ReserveLabel
fcc0ccc 
Signed-off-by: Fabio Kung <[email protected]>
(cherry picked from commit 9134e87)
Signed-off-by: Kir Kolyshkin <[email protected]>

Conflicts:
 - container/container.go: missing moby#33241,
   moby#32687

Signed-off-by: Kir Kolyshkin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpuguy83 cpuguy83 cpuguy83 approved these changes

+3 more reviewers

@rhatdan rhatdan rhatdan left review comments

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@vdemeester vdemeester vdemeester approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status/2-code-review

Projects

None yet

Milestone

17.06.0

Development

Successfully merging this pull request may close these issues.

7 participants

@runcom @cpuguy83 @vdemeester @rhatdan @TomSweeneyRedHat @thaJeztah @GordonTheTurtle