Tap plugin - alternative PR #794

mmirecki · 2022-12-07T16:58:11Z

Alternative to #784
with selinux stuff encapsulated in a seprate package

Signed-off-by: mmirecki <mmirecki@redhat.com>

squeed · 2023-01-09T16:56:34Z

pkg/security/security.go

+// main instance of the plugin which performs the rest of the configuration.
+func (sm SELinuxSecurityModel) ReRunCommandWithSecurityLabels(addLinkString string, tmpName string, mtu int, nsFd int, multique bool, mac string) error {
+	// Apply the appropriate se linux label. This will affect the newly executed plugin process.
+	if err := selinux.SetExecLabel("system_u:system_r:container_t:s0"); err != nil {


I see these labels are hard-coded; is that the norm?

This is specific to just the selinux security module. Other modules would of course have different mechanisms (if present).
This PR was a proposal on how to extract the security module specific items from the main plugin code, but it seems this approach has not met with approval either, so I'm closing it.

Tap plugin

380d0bf

Signed-off-by: mmirecki <mmirecki@redhat.com>

mmirecki changed the title ~~Tap plugin~~ Tap plugin - alternative PR Dec 7, 2022

dougbtv approved these changes Dec 12, 2022

View reviewed changes

squeed reviewed Jan 9, 2023

View reviewed changes

mmirecki closed this Jan 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tap plugin - alternative PR #794

Tap plugin - alternative PR #794

mmirecki commented Dec 7, 2022

squeed Jan 9, 2023

mmirecki Jan 11, 2023

Tap plugin - alternative PR #794

Tap plugin - alternative PR #794

Conversation

mmirecki commented Dec 7, 2022

squeed Jan 9, 2023

Choose a reason for hiding this comment

mmirecki Jan 11, 2023

Choose a reason for hiding this comment