On Tue, 12 Feb 2019 at 18:39, Jason Anderson <jasonanderson at uchicago.edu> wrote: > Hey all, > > With CVE-2019-5736 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736> dropping > today, I thought it would be a good opportunity to poke about the current > state of SELinux support in Kolla. The docs > <https://docs.openstack.org/kolla-ansible/rocky/user/security.html> have > said it is a work in progress since the Mitaka release at least. I did find > a spec <https://blueprints.launchpad.net/kolla/+spec/enable-selinux> that > was marked as completed, but I am not aware that there is yet any support > and I see that the baremetal role still forces SELinux to "permissive" by > default. > > Is anybody currently working on this or is there an update spec/blueprint > to track the development here? I am no SELinux expert by any means but this > feels like an important thing to address, particularly if Docker has made > it easier to label bind mounts > <https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label> > . > Hi Jason, Thanks for bringing this up. I'm afraid SELinux is still not supported in kolla-ansible. I'd definitely be interested in at least understanding what would be required to make it happen. I saw some messages on here about SELinux in TripleO, which suggests that it is possible with the kolla images. The discussion I saw was around the bind mount labelling. I've tagged TripleO, perhaps someone from that team could speak about what they have done to deploy the kolla containers with SELinux enabled? This thread [1] looks like a good starting point. Mark [1] https://openstack.nimeyo.com/121793/openstack-tripleo-undercloud-containers-selinux-enforcing > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190214/491ed758/attachment-0001.html>