
<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 12 Feb 2019 at 18:39, Jason Anderson <<a href="mailto:jasonanderson@uchicago.edu">jasonanderson@uchicago.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">


<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Hey all,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

With <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736" title="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736" target="_blank">

CVE-2019-5736</a> dropping today, I thought it would be a good opportunity to poke about the current state of SELinux support in Kolla. The

<a href="https://docs.openstack.org/kolla-ansible/rocky/user/security.html" title="https://docs.openstack.org/kolla-ansible/rocky/user/security.html" target="_blank">

docs</a> have said it is a work in progress since the Mitaka release at least. I did find a

<a href="https://blueprints.launchpad.net/kolla/+spec/enable-selinux" title="https://blueprints.launchpad.net/kolla/+spec/enable-selinux" target="_blank">

spec</a> that was marked as completed, but I am not aware that there is yet any support and I see that the baremetal role still forces SELinux to "permissive" by default.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Is anybody currently working on this or is there an update spec/blueprint to track the development here? I am no SELinux expert by any means but this feels like an important thing to address, particularly if

<a href="https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label" title="https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label" target="_blank">

Docker has made it easier to label bind mounts</a>.</div></div></blockquote><div><span class="gmail_default" style="font-family:verdana,sans-serif"></span><span style="font-family:verdana,sans-serif">Hi Jason,</span></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div><span class="gmail_default" style="font-family:verdana,sans-serif">Thanks for bringing this up. I'm afraid SELinux is still not supported in kolla-ansible. I'd definitely be interested in at least understanding what would be required to make it happen. I saw some messages on here about SELinux in TripleO, which suggests that it is possible with the kolla images. The discussion I saw was around the bind mount labelling.</span></div><div><span class="gmail_default" style="font-family:verdana,sans-serif"><br></span></div><div><span class="gmail_default" style="font-family:verdana,sans-serif">I've tagged TripleO, perhaps someone from that team could speak about what they have done to deploy the kolla containers with SELinux enabled? This thread [1] looks like a good starting point.</span></div><div><span class="gmail_default" style="font-family:verdana,sans-serif"><br></span></div><div><span class="gmail_default" style="font-family:verdana,sans-serif">Mark</span></div><div><span class="gmail_default" style="font-family:verdana,sans-serif"><br></span></div><div><span class="gmail_default" style="font-family:verdana,sans-serif">[1] <a href="https://openstack.nimeyo.com/121793/openstack-tripleo-undercloud-containers-selinux-enforcing">https://openstack.nimeyo.com/121793/openstack-tripleo-undercloud-containers-selinux-enforcing</a></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_1433485221015615668signature"><div id="gmail-m_1433485221015615668divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif">

<p style="margin-top:0px;margin-bottom:0px"></p>

</div>

</div>

</div>


</blockquote></div></div></div>