k3s-io / k3s-selinux

SELinux policy for k3s
Apache License 2.0
68 stars 20 forks source link

Issues with local-path-provisioner #52

Open mcg1969 opened 1 year ago

mcg1969 commented 1 year ago

see: https://github.com/rancher/local-path-provisioner/issues/362

The rules in this module are not sufficient for local-path-provisioner; I'm seeing errors such as this:

type=PROCTITLE msg=audit(11/05/2023 20:04:14.350:980) : proctitle=chmod 00700 /mnt/pgdata 
type=SYSCALL msg=audit(11/05/2023 20:04:14.350:980) : arch=x86_64 syscall=fchmodat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x56175e3f04d0 a2=0700 a3=0x7f1174880f98 items=0 ppid=109618 pid=109647 auid=unset uid=ec2-user gid=root euid=ec2-user suid=ec2-user fsuid=ec2-user egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chmod exe=/usr/bin/chmod subj=system_u:system_r:container_t:s0:c173,c969 key=(null) 
type=AVC msg=audit(11/05/2023 20:04:14.350:980) : avc:  denied  { setattr } for  pid=109647 comm=chmod name=pgdata dev="nvme0n1p2" ino=8923402 scontext=system_u:system_r:container_t:s0:c173,c969 tcontext=system_u:object_r:container_file_t:s0:c45,c627 tclass=dir permissive=0 

I found that I could temporarily solve issues by repeatedly running this command until the pods stabilized, but this of course is not a solution so much as a method for diagnosis:

sudo chcon -R -t svirt_sandbox_file_t -l s0 <PATH_TO_LOCAL_VOLUME>

I was also able to solve it by adding seLinuxOptions: to my helm chart that fixed the container's category label (e.g., s0:c248,c366).

In this comment, another user solved it by creating an additional set of permissions. It would be my hope that they could be adapted for use in this module.

https://github.com/rancher/local-path-provisioner/issues/362#issuecomment-1804474477

Thank you for the great work!