Can't use SELinux separation when sharing the host pid/ipc namespace
SELinux will cause breakage when sharing these namespaces. For example it will block processes inside of the container from looking at the hosts /proc in hosts Pid Namespace. It will also block all access to semaphores and shared memory defined outside of the pod. Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
fbcd609644
commit
cd12a4acfe
1 changed files with 6 additions and 3 deletions
|
@ -166,10 +166,13 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Don't use SELinux separation with Host Pid or IPC Namespace,
|
||||||
|
if !req.GetConfig().GetLinux().GetNamespaceOptions().GetHostPid() && !req.GetConfig().GetLinux().GetNamespaceOptions().GetHostIpc() {
|
||||||
processLabel, mountLabel, err = getSELinuxLabels(nil)
|
processLabel, mountLabel, err = getSELinuxLabels(nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
containerID, containerName, err := s.generateContainerIDandName(name, "infra", 0)
|
containerID, containerName, err := s.generateContainerIDandName(name, "infra", 0)
|
||||||
g.AddAnnotation("ocid/labels", string(labelsJSON))
|
g.AddAnnotation("ocid/labels", string(labelsJSON))
|
||||||
|
|
Loading…
Reference in a new issue