We must not disable selinux

Bug #1543308 reported by Adrian Otto on 2016-02-08
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Magnum
In Progress
Critical
Jason Dunsmore

Bug Description

In November, we merged this commit:

https://review.openstack.org/243432

In doing so, we renamed a file to:

https://github.com/openstack/magnum/blob/master/magnum/templates/swarm/fragments/disable-selinux.sh

The script has been moved three times, so I don't have a history of who originally wrote it, but here is my objection:

We must not disable key security features of the Linux kernel. This particular feature is critically important to the security isolation of containers, and must remain enabled. Instead of disabling selinux, we must find out why the code does not work without it, and add the necessary labels to allow it to function while selinux is enabled.

Please find all places in Magnum where selinux is disabled, and eliminate them.

Adrian Otto (aotto) wrote :

magnum/templates/swarm/fragments/disable-selinux.sh
magnum/templates/kubernetes/fragments/disable-selinux.sh

Fix proposed to branch: master
Review: https://review.openstack.org/277883

Changed in magnum:
assignee: nobody → Corey O'Brien (coreypobrien)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/277883
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=cf85c5ac03637a4e290ccc1eab404efb49e59a88
Submitter: Jenkins
Branch: master

commit cf85c5ac03637a4e290ccc1eab404efb49e59a88
Author: Corey O'Brien <email address hidden>
Date: Tue Feb 9 10:19:51 2016 -0500

    Turn selinux back on after cloud-init

    After cloud-init has run configuration steps, turn on selinux again
    for security reasons.

    Change-Id: I12a5b2ff3e71be39aa84093fce8b1c2b1be9d473
    Closes-Bug: 1543308

Changed in magnum:
status: In Progress → Fix Released
hongbin (hongbin034) wrote :

Reopen this bug, since the fix has been reverted: https://review.openstack.org/#/c/289626/

Changed in magnum:
status: Fix Released → In Progress

Reviewed: https://review.openstack.org/290090
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=44b2e77979dea95bfabdd712eccb8c3a69b36470
Submitter: Jenkins
Branch: master

commit 44b2e77979dea95bfabdd712eccb8c3a69b36470
Author: Hongbin Lu <email address hidden>
Date: Tue Mar 8 14:26:24 2016 -0500

    Enable SELinux in swarm bay

    SELinux is an important security features. We need to turn it on
    after cloud-init. This patch did that for swarm.

    Change-Id: I1862a63498613535741c3aae9c0378911ec21315
    Partial-Bug: #1543308

Changed in magnum:
milestone: mitaka-3 → none
assignee: Corey O'Brien (coreypobrien) → nobody
rajiv (rajiv-kumar) on 2016-09-05
Changed in magnum:
assignee: nobody → rajiv (rajiv-kumar)

This issue was fixed in the openstack/magnum 2.0.0 release.

Fix proposed to branch: master
Review: https://review.openstack.org/442598

Changed in magnum:
assignee: rajiv (rajiv-kumar) → Jason Dunsmore (jasondunsmore)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers