-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux Policy: system_u:system_r:cachefiles_kernel_t:s0 #4081
Comments
Hello, thanks for submitting this feature request! I've confirmed that Bottlerocket currently does not have this policy:
[root@admin]# seinfo -t | grep cache
cache_t We will discuss within the team if it's viable to add this policy and will get back to you with the decision. |
I've been playing around with this, and I found a few things, but first some clarifications for others that find this issue:
By default, the
That will force the process to use the parent's SELinux context. The Bottlerocket SELinux policy is way different than the I first loaded the modprobe -qab cachefiles Then, I deployed a pod with the following spec: apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fedora
spec:
selector:
matchLabels:
name: fedora
template:
metadata:
labels:
name: fedora
spec:
containers:
- name: fedora
image: fedora
command: ["sleep", "infinity"]
securityContext:
privileged: true
# These will be accessed by cachefilesd
volumeMounts:
- mountPath: /dev/log
name: journal
readOnly: false
- mountPath: /dev/cachefiles
name: cache
readOnly: false
volumes:
- name: journal
hostPath:
path: /dev/log
- name: cache
hostPath:
path: /dev/cachefiles This got me to pass SELinux problems, but I keep getting this error:
But no AVC denials, I wonder if we are missing a kernel config to allow this, or if |
What I'd like:
I would like to enable fscache in order to allow caching of NFS files. Currently my issue is that on running cachefilesd I either receive:
or
The last happens if I specify, which should be the correct selinux policy to reference
It looks like the policy is missing in bottlerocket os:
I appreciate if that policy could be added.
Related links:
Any alternatives you've considered:
The text was updated successfully, but these errors were encountered: