Is this operator capable of setting sebools?

[tylerauerbeck]

I have a workload that requires enabling container_manage_cgroup which traditionally I would do by logging onto the system and running setsebool container_manage_cgroup 1. I was hoping to be able to do this with this operator as well as I see it's capable of interacting with selinux. However my attempts so far have been unsuccessful. I've tried adding the following to the tuned-profiles configmap:

    openshift-node: |
      [main]
      summary=Optimize systems running OpenShift nodes
      include=openshift

      [sysctl]
      net.ipv4.tcp_fastopen=3
      fs.inotify.max_user_watches=65536

      [selinux]
      container_manage_cgroup=1

I've also tried setting container_manage_cgroup to true and yes just to try all the options, but still didn't have any luck. Is this possible through this operator? Is there a seperate/better way of handling this? Or is there anything that I need to do after modifying so that this gets put in place?

[jmencak]

Thank you for the report and sorry for the delay in response. This is a valid issue. Currently the [selinux] plugin is not supported.

[jmencak]

So I was confused for a moment. Looking more into the sources of the tuned daemon's [selinux] plugin, it has nothing to do with actually setting SELinux booleans. It only tunes the values in /sys/fs/selinux/, avc_cache_threshold in particular. So to answer your question, this operator cannot set sebools.

[tylerauerbeck]

Thanks @jmencak . For others interested in this, it looks like the plan is to handle it here: openshift/machine-config-operator#852 and looks to be blocked by ostreedev/ostree#1026

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.