[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CAP_LINUX_IMMUTABLE



Yep, that helps. I want to use custom SCC as a last resort if none options exist. Thanks for validating .

 

Appreciated for quick response Slava

 

-- 

Srinivas Kotaru

From: Vyacheslav Semushin <vsemushi redhat com>
Date: Wednesday, March 28, 2018 at 10:42 AM
To: Srinivas Naga Kotaru <skotaru cisco com>
Cc: dev <dev lists openshift redhat com>
Subject: Re: CAP_LINUX_IMMUTABLE

 

2018-03-28 19:17 GMT+02:00 Srinivas Naga Kotaru (skotaru) <skotaru cisco com>:

 

Is it possible to use CAP_LINUX_IMMUTABLE security context with restricted SCC? One of our client want to use chattr +a /tmp/logs/*.log command in pod. We don’t want to relax or give privileged SCC for any clients.

 

The "restricted" SCC doesn't allow any extra capabilities except those that are granted by default by Docker. So, the answer is "No, you can't".

If you "don’t want to relax or give privileged SCC", you still may create a custom SCC that will be identical to "restricted" but also allows CAP_LINUX_IMMUTABLE capability. Such SCC can be granted only to some clients, so they will be able to use it.

 

Hope this helps!


--

Slava Semushin | OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]