Skip to content

Do not set selinux context for virt-launcher binary. #8933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 13, 2022
Merged

Do not set selinux context for virt-launcher binary. #8933

merged 1 commit into from
Dec 13, 2022

Conversation

pomodorox
Copy link
Contributor

@pomodorox pomodorox commented Dec 12, 2022
edited by rmohr
Loading

What this PR does / why we need it:

We don't not need to set the selinux context for virt-launcher binary. Uploading the PR to test if it is actually required or not.

No matter what we set, we end up with the selinux labels for all files in the container:

$ kubectlexec -it virt-launcher-vmi-nocloud-t5pxv -- /bin/sh
sh-5.1$ ls -lhZ /usr/bin/virt-launcher
-r-xr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c76,c631 56M Jan  1  1970 /usr/bin/virt-launcher
sh-5.1$ ls -lhZ /
total 4.0K
dr-xr-xr-x.   2 root root system_u:object_r:container_file_t:s0:c76,c631    6 Jan  1  1970 afs
lrwxrwxrwx.   1 root root system_u:object_r:container_file_t:s0:c76,c631    7 Jan  1  1970 bin -> usr/bin
dr-xr-xr-x.   2 root root system_u:object_r:container_file_t:s0:c76,c631    6 Jan  1  1970 boot
drwxr-xr-x.   6 root root system_u:object_r:container_file_t:s0:c76,c631  420 Dec 12 18:46 dev

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

NONE

@kubevirt-bot kubevirt-bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Dec 12, 2022
@kubevirt-bot kubevirt-bot added kind/build-change Categorizes PRs as related to changing build files of virt-* components size/XS needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 12, 2022
@kubevirt-bot
Copy link
Contributor

Hi @didovesei. Thanks for your PR.

I'm waiting for a kubevirt member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kubevirt-bot kubevirt-bot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Dec 12, 2022
@rmohr
Copy link
Member

rmohr commented Dec 12, 2022

/ok-to-test

@kubevirt-bot kubevirt-bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 12, 2022
@rmohr
Copy link
Member

rmohr commented Dec 12, 2022

/retest

1 similar comment
@pomodorox
Copy link
Contributor Author

/retest

@pomodorox
Do not set selinux context for virt-launcher binary.
342b331 
Signed-off-by: Yufeng Duan <55268016+didovesei@users.noreply.github.com>
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Dec 13, 2022
@pomodorox
Copy link
Contributor Author

/retest

1 similar comment
@pomodorox
Copy link
Contributor Author

/retest

@rmohr
Copy link
Member

rmohr commented Dec 13, 2022

/lgtm
/approve

In a follow-up we can check if we still need to relabel the tun and null devices.

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Dec 13, 2022
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rmohr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 13, 2022
@rmohr
Copy link
Member

rmohr commented Dec 13, 2022

/retest

@kubevirt-bot kubevirt-bot merged commit bc21e4e into kubevirt:main Dec 13, 2022
@pomodorox pomodorox deleted the selinux branch February 23, 2023 23:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enp0s3 enp0s3

@iholder101 iholder101

Assignees

@rmohr rmohr

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/build-change Categorizes PRs as related to changing build files of virt-* components lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pomodorox @kubevirt-bot @rmohr