Magnum

We must not disable selinux

Bug #1543308 reported by Adrian Otto on 2016-02-08

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Magnum	In Progress	Critical	Jason Dunsmore

Bug Description

In November, we merged this commit:

https://review.openstack.org/243432

In doing so, we renamed a file to:

https://github.com/openstack/magnum/blob/master/magnum/templates/swarm/fragments/disable-selinux.sh

The script has been moved three times, so I don't have a history of who originally wrote it, but here is my objection:

We must not disable key security features of the Linux kernel. This particular feature is critically important to the security isolation of containers, and must remain enabled. Instead of disabling selinux, we must find out why the code does not work without it, and add the necessary labels to allow it to function while selinux is enabled.

Please find all places in Magnum where selinux is disabled, and eliminate them.

Tags:

Revision history for this message

Adrian Otto (aotto) wrote on 2016-02-08:

magnum/templates/swarm/fragments/disable-selinux.sh
magnum/templates/kubernetes/fragments/disable-selinux.sh

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-09: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/277883

Changed in magnum:
assignee:	nobody → Corey O'Brien (coreypobrien)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-15: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/277883
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=cf85c5ac03637a4e290ccc1eab404efb49e59a88
Submitter: Jenkins
Branch: master

commit cf85c5ac03637a4e290ccc1eab404efb49e59a88
Author: Corey O'Brien <email address hidden>
Date: Tue Feb 9 10:19:51 2016 -0500

Turn selinux back on after cloud-init

After cloud-init has run configuration steps, turn on selinux again
for security reasons.

Change-Id: I12a5b2ff3e71be39aa84093fce8b1c2b1be9d473
Closes-Bug: 1543308

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

hongbin (hongbin034) wrote on 2016-03-08:

Reopen this bug, since the fix has been reverted: https://review.openstack.org/#/c/289626/

Changed in magnum:
status:	Fix Released → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-10:

Reviewed: https://review.openstack.org/290090
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=44b2e77979dea95bfabdd712eccb8c3a69b36470
Submitter: Jenkins
Branch: master

commit 44b2e77979dea95bfabdd712eccb8c3a69b36470
Author: Hongbin Lu <email address hidden>
Date: Tue Mar 8 14:26:24 2016 -0500

Enable SELinux in swarm bay

SELinux is an important security features. We need to turn it on
after cloud-init. This patch did that for swarm.

Change-Id: I1862a63498613535741c3aae9c0378911ec21315
Partial-Bug: #1543308

Spyros Trigazis (strigazi) on 2016-09-05

Changed in magnum:
milestone:	mitaka-3 → none
assignee:	Corey O'Brien (coreypobrien) → nobody

rajiv (rajiv-kumar) on 2016-09-05

Changed in magnum:
assignee:	nobody → rajiv (rajiv-kumar)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/magnum 2.0.0

This issue was fixed in the openstack/magnum 2.0.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-07: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/442598

Changed in magnum:
assignee:	rajiv (rajiv-kumar) → Jason Dunsmore (jasondunsmore)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-07: Change abandoned on magnum (master)

Change abandoned by Feilong Wang (<email address hidden>) on branch: master
Review: https://review.opendev.org/442598
Reason: I'm going to abandon this please feel free to reopen this. Thanks.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.