Skip to content

Commit

Permalink
Restore default SELinux security contexts for container runtime binaries
Browse files Browse the repository at this point in the history
  • Loading branch information
Ciprian Hacman committed Jul 17, 2020
1 parent 0658248 commit 01486b7
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
6 changes: 6 additions & 0 deletions nodeup/pkg/model/containerd.go
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,12 @@ func (b *ContainerdBuilder) buildSystemdService() *nodetasks.Service {
manifest.Set("Unit", "Documentation", "https://containerd.io")
manifest.Set("Unit", "After", "network.target local-fs.target")

// Restore the default SELinux security contexts for the containerd and runc binaries
if b.Distribution.IsRHELFamily() && b.Cluster.Spec.Docker != nil && fi.BoolValue(b.Cluster.Spec.Docker.SelinuxEnabled) {
manifest.Set("Service", "ExecStartPre", "/bin/sh -c 'restorecon -v /usr/bin/runc'")
manifest.Set("Service", "ExecStartPre", "/bin/sh -c 'restorecon -v /usr/bin/containerd*'")
}

manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/containerd")
manifest.Set("Service", "EnvironmentFile", "/etc/environment")
manifest.Set("Service", "ExecStartPre", "-/sbin/modprobe overlay")
Expand Down
5 changes: 5 additions & 0 deletions nodeup/pkg/model/docker.go
Original file line number Diff line number Diff line change
Expand Up @@ -558,6 +558,11 @@ func (b *DockerBuilder) buildSystemdService(dockerVersion semver.Version) *nodet
manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/docker")
manifest.Set("Service", "EnvironmentFile", "/etc/environment")

// Restore the default SELinux security contexts for the Docker binaries
if b.Distribution.IsRHELFamily() && b.Cluster.Spec.Docker != nil && fi.BoolValue(b.Cluster.Spec.Docker.SelinuxEnabled) {
manifest.Set("Service", "ExecStartPre", "/bin/sh -c 'restorecon -v /usr/bin/docker*'")
}

// the default is not to use systemd for cgroups because the delegate issues still
// exists and systemd currently does not support the cgroup feature set required
// for containers run by docker
Expand Down

0 comments on commit 01486b7

Please sign in to comment.