Fix SELinux failures on disabled SELinux Machines #2032
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On some machines when setting the SELinux key labels to "", we are seeing failures that cause runc to fail. Even if SELinux is disabled. This check will ignore callers calling SELinux Set*Label functions with "" when SELinux is disabled. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
LGTM |
1 similar comment
|
LGTM |
|
(LGTM). |
thaJeztah
added a commit
to thaJeztah/containerd
that referenced
this pull request
Apr 5, 2019
no changes in vendored files full diff: opencontainers/runc@v1.0.0-rc7...029124d - opencontainers/runc#2031 Add selinux validate in runc exec - opencontainers/runc#2032 Fix SELinux failures on disabled SELinux Machines - addresses opencontainers#2030 "container init caused "write /proc/self/attr/keycreate: invalid argument" Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/containerd
that referenced
this pull request
Apr 5, 2019
no changes in vendored files full diff: opencontainers/runc@v1.0.0-rc7...029124d - opencontainers/runc#2031 Add selinux validate in runc exec - opencontainers/runc#2032 Fix SELinux failures on disabled SELinux Machines - addresses opencontainers#2030 "container init caused "write /proc/self/attr/keycreate: invalid argument" Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was referenced Apr 5, 2019
jordemort
pushed a commit
to jordemort/cri-o-runc
that referenced
this pull request
May 28, 2019
… stretch-backport v1.0.0~rc8 This is a hot-fix for v1.0.0-rc7, and fixes a regression on old kernels (which don't support keycreate labeling). Users are strongly encouraged to update, as this regression was introduced in 1.0.0-rc7 and has blocked many users from updating to mitigate CVE-2019-5736. Bugs: opencontainers#2032 opencontainers#2031 opencontainers#2043 At the moment the only outlying issue before we can release 1.0.0 is some spec discussions we are having about OCI hooks and how to handle the integration with existing NVIDIA hooks. We will do our best to finish this work as soon as we can. Thanks to the following people who made this release possible: * Aleksa Sarai <asarai@suse.de> * Daniel J Walsh <dwalsh@redhat.com> * lifubang <lifubang@acmcoder.com> * Michael Crosby <crosbymichael@gmail.com> * Mrunal Patel <mrunal@me.com> Vote: +4 -0 opencontainers#1 Signed-off-by: Aleksa Sarai <asarai@suse.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On some machines when setting the SELinux key labels to "", we are seeing
failures that cause runc to fail. Even if SELinux is disabled.
This check will ignore callers calling SELinux Set*Label functions with ""
when SELinux is disabled.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com