Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added revised version of the no-new-privs post. #272

Merged
merged 2 commits into from
Mar 17, 2016
Merged

Added revised version of the no-new-privs post. #272

merged 2 commits into from
Mar 17, 2016

Conversation

jberkus
Copy link
Contributor

@jberkus jberkus commented Mar 15, 2016

This is the revised version of @mrunalp 's post about no-new-privileges. It is not ready to go yet. There's a number of questions:

  • @mrunalp, I had to revise the post significantly, please verify that I didn't add any errors
  • @mrunalp it's your patch to Docker, no? Shouldn't we credit you by name? Who else worked on it?
  • @rhatdan, @jlebon, @jasonbrooks please check sample code, thanks!

@jberkus jberkus mentioned this pull request Mar 15, 2016
Closed
mrunalp
mrunalp reviewed Mar 15, 2016
View reviewed changes
source/blog/2016-03-17-no-new-privs-docker.md
@@ -0,0 +1,93 @@
---
title: Docker credentials store
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Metadata doesn't look right.

@mrunalp
Copy link

mrunalp commented Mar 15, 2016

@jberkus Yes, I worked on the patches to OCI spec, runc and docker. @rhatdan helped with the selinux policy changes required for it.

@rhatdan
Copy link
Member

rhatdan commented Mar 15, 2016

Change the Red Hat staff ... Intro to I.

Red Hat staff working on Project Atomic have contributed support for a `no-new-privileges`

I have contributed support for `no-new-privileges` ...

Then add a paragraph:

Turning on no_new_privs actually stopped the SELinux transition from the docker daemon type docker_t to the container type, svirt_lxc_net_t. no_new_privs only allows SELinux transitions from one type to another iff the target type as a complete subset of the source type. Dan Walsh worked on the
SELinux policy for docker to fix this. With the latest policy in Fedora 24, no_new_privs and SELinux work well together. We will be back porting these fixes to RHEL when we ship docker support for no_new_privs.

@jberkus
Copy link
Contributor Author

jberkus commented Mar 15, 2016

OK, updated with changes. @bproffitt, this should be ready to go unless Dan or Mrunal object.

@jberkus jberkus closed this Mar 15, 2016
@jberkus
Copy link
Contributor Author

jberkus commented Mar 17, 2016

Crap, closed this by accident. @bproffitt, if you can publish this tommorrow?

@jberkus jberkus reopened this Mar 17, 2016
bproffitt added a commit that referenced this pull request Mar 17, 2016
@bproffitt
Merge pull request #272 from projectatomic/no_new_privs_docker
d0dbf6e 
Added revised version of the no-new-privs post.
@bproffitt bproffitt merged commit d0dbf6e into master Mar 17, 2016
@jberkus jberkus deleted the no_new_privs_docker branch March 29, 2016 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jberkus @mrunalp @rhatdan @bproffitt