[root@machine /]# hostnamectl
Static hostname: machine
Icon name: computer-server
Chassis: server
Machine ID: 3342db489c014533b01ac7ebf64a59e0
Boot ID: cffcc4cf0a9141dd871335c015f0650a
Operating System: Red Hat Enterprise Linux 8.8 (Ootpa)
CPE OS Name: cpe:/o:redhat:enterprise_linux:8::baseos
Kernel: Linux 4.18.0-477.55.1.el8_8.x86_64
Architecture: x86-64
[root@machine /]# cadvisor --version
cAdvisor version v0.49.1
Description:
We are encountering SELinux denial messages when cAdvisor attempts to perform certain operations, such as getattr on /sys/fs/resctrl and attempting to access /dev/kmsg for reading OOM events, even though the relevant collectors are not being used. Specifically:
getattr on /sys/fs/resctrl: This occurs during the initialization of the resource_control manager, which checks whether Intel RDT (Resource Director Technology) is supported. However, we do not use the resctrl collector, nor do we wish to grant the required permissions.
For example audit log
avc: denied { getattr } for pid=383168 comm="cadvisor" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:cadvisor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0
Capability on syslog (/dev/kmsg): This happens when cAdvisor attempts to read OOM events for containers, even though the container_oom_events_total metric is known to always return 0 (related defect: https://github.com/google/cadvisor/issues/3015).
For example audit log
avc: denied { syslog } for pid=383951 comm="cadvisor" capability=34 scontext=system_u:system_r:cadvisor_t:s0 tcontext=system_u:system_r:cadvisor_t:s0 tclass=capability2 permissive=0avc: denied { sys_admin } for pid=383951 comm="cadvisor" capability=21 scontext=system_u:system_r:cadvisor_t:s0 tcontext=system_u:system_r:cadvisor_t:s0 tclass=capability
SELinux denials should only occur when a collector is actively being used, and cAdvisor should request the necessary permissions only when the collector is enabled.
This will help avoid unnecessary SELinux denials and ensure that permission issues arise only when relevant features are in use.
System:
Description: We are encountering SELinux denial messages when cAdvisor attempts to perform certain operations, such as getattr on /sys/fs/resctrl and attempting to access /dev/kmsg for reading OOM events, even though the relevant collectors are not being used. Specifically:
getattr on /sys/fs/resctrl: This occurs during the initialization of the resource_control manager, which checks whether Intel RDT (Resource Director Technology) is supported. However, we do not use the resctrl collector, nor do we wish to grant the required permissions. For example audit log
avc: denied { getattr } for pid=383168 comm="cadvisor" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:cadvisor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0Capability on syslog (/dev/kmsg): This happens when cAdvisor attempts to read OOM events for containers, even though the container_oom_events_total metric is known to always return 0 (related defect: https://github.com/google/cadvisor/issues/3015). For example audit log
avc: denied { syslog } for pid=383951 comm="cadvisor" capability=34 scontext=system_u:system_r:cadvisor_t:s0 tcontext=system_u:system_r:cadvisor_t:s0 tclass=capability2 permissive=0avc: denied { sys_admin } for pid=383951 comm="cadvisor" capability=21 scontext=system_u:system_r:cadvisor_t:s0 tcontext=system_u:system_r:cadvisor_t:s0 tclass=capabilityExpected Behavior:
If a specific collector (e.g., resctrl or OOM) is not being used, cAdvisor should not attempt to initialize or access resources requiring additional permissions. For example, the initialization of the resctrl collector happens here https://github.com/google/cadvisor/blob/c15f44e578c77800b1b82a7bbb67614364f4aedc/manager/manager.go#L224 Despite the collector being disabled, cAdvisor still attempts a getattr operation on the sysfs directory https://github.com/google/cadvisor/blob/c15f44e578c77800b1b82a7bbb67614364f4aedc/resctrl/utils.go#L83
SELinux denials should only occur when a collector is actively being used, and cAdvisor should request the necessary permissions only when the collector is enabled.
This will help avoid unnecessary SELinux denials and ensure that permission issues arise only when relevant features are in use.