Open ejweber opened 9 months ago
Found this while investigating https://github.com/longhorn/longhorn/issues/5348#issuecomment-1812677123.
I am technically using Tumbleweed, not MicroOS, but I am able to match the package versions of the initial raiser.
To be honest, I'm not really sure if this is a k3s-selinux bug or a selinux-policy-targeted bug. I tried to reproduce on RKE2, but I hit https://github.com/rancher/rke2-selinux/issues/56 for now.
k3s-selinux
selinux-policy-targeted
The problem manifests when upgrading selinux-policy-targeted from 20231012-1.1 to 120231030-1.1.
20231012-1.1
120231030-1.1
Before the upgrade, privileged containers run correctly in the spc_t domain.
spc_t
ip-192-168-217-136:/home/ec2-user # tumbleweed version 20231030 ip-192-168-217-136:/home/ec2-user # zypper search -si selinux Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+--------------------------+---------+------------------+--------+----------------------------------- i+ | container-selinux | package | 2.222.0-1.2 | noarch | openSUSE-Tumbleweed-Oss (20231030) i+ | k3s-selinux | package | 1.4.stable.1-1.3 | noarch | openSUSE-Tumbleweed-Oss (20231030) i | libselinux1 | package | 3.5-5.2 | x86_64 | openSUSE-Tumbleweed-Oss (20231030) i | microos_selinux | pattern | 5.0-81.1 | x86_64 | (System Packages) i+ | patterns-microos-selinux | package | 5.0-81.1 | x86_64 | (System Packages) i | python311-selinux | package | 3.5-5.2 | x86_64 | openSUSE-Tumbleweed-Oss (20231030) i | selinux-autorelabel | package | 3.1-3.9 | noarch | openSUSE-Tumbleweed-Oss (20231030) i+ | selinux-policy | package | 20231012-1.1 | noarch | openSUSE-Tumbleweed-Oss (20231030) i | selinux-policy-devel | package | 20231030-1.1 | noarch | (System Packages) i+ | selinux-policy-targeted | package | 20231012-1.1 | noarch | openSUSE-Tumbleweed-Oss (20231030) i | selinux-tools | package | 3.5-5.2 | x86_64 | openSUSE-Tumbleweed-Oss (20231030) ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "longhorn-manager -d csi" system_u:system_r:spc_t:s0 root 12788 4678 0 19:27 ? 00:00:00 longhorn-manager -d csi --nodeid=ip-192-168-217-136 --endpoint=unix:///csi/csi.sock --drivername=driver.longhorn.io --manager-url=http://longhorn-backend:9500/v1 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 22254 17226 0 19:42 pts/1 00:00:00 grep --color=auto longhorn-manager -d csi ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "pause" system_u:system_r:container_t:s0:c311,c885 65535 2308 2148 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c337,c548 65535 2323 2162 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c289,c892 65535 2580 2395 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c591,c694 65535 3028 2737 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c683,c711 65535 3094 2755 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c802,c836 65535 3112 2878 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c298,c963 65535 3243 3029 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c465,c934 65532 3250 3068 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c447,c862 65535 3520 3404 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c455,c839 65535 3523 3303 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c405,c908 root 3621 3414 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c400,c525 65535 3722 3512 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c160,c677 65535 3966 3718 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c132,c522 65535 4049 3850 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c96,c539 65535 4081 3856 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c57,c457 65535 4092 3821 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c20,c927 65535 4161 3989 0 19:26 ? 00:00:00 /pause system_u:system_r:spc_t:s0 65535 4403 4131 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c703,c910 65535 4554 4306 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c623,c860 65535 4562 4418 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c28,c545 65535 4799 4654 0 19:26 ? 00:00:00 /pause system_u:system_r:spc_t:s0 65535 4850 4678 0 19:26 ? 00:00:00 /pause system_u:system_r:spc_t:s0 65535 4924 4794 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c559,c630 65535 5042 4832 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c229,c625 65535 5228 5169 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c609,c795 65535 5603 5486 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c203,c988 65535 6102 6001 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c384,c827 65535 6163 6075 0 19:26 ? 00:00:00 /pause system_u:system_r:container_t:s0:c451,c720 65535 6391 6325 0 19:26 ? 00:00:00 /pause system_u:system_r:spc_t:s0 65535 9407 9340 0 19:27 ? 00:00:00 /pause system_u:system_r:spc_t:s0 65535 9414 9379 0 19:27 ? 00:00:00 /pause unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 22313 17226 99 19:42 pts/1 00:00:00 grep --color=auto pause
After the upgrade, they stay in the container_runtime_t domain. This is the root cause of https://github.com/longhorn/longhorn/issues/5348#issuecomment-1812677123.
container_runtime_t
ip-192-168-217-136:/home/ec2-user # tumbleweed version repositories have not been initialized for snapshots Try /usr/bin/tumbleweed init ip-192-168-217-136:/home/ec2-user # zypper search -si selinux Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+--------------------------+---------+------------------+--------+------------------------ i+ | container-selinux | package | 2.222.0-1.2 | noarch | openSUSE-Tumbleweed-Oss i+ | k3s-selinux | package | 1.4.stable.1-1.3 | noarch | openSUSE-Tumbleweed-Oss i | libselinux1 | package | 3.5-5.2 | x86_64 | openSUSE-Tumbleweed-Oss i | microos_selinux | pattern | 5.0-81.1 | x86_64 | openSUSE-Tumbleweed-Oss i+ | patterns-microos-selinux | package | 5.0-81.1 | x86_64 | openSUSE-Tumbleweed-Oss i | python311-selinux | package | 3.5-5.2 | x86_64 | openSUSE-Tumbleweed-Oss i | selinux-autorelabel | package | 3.1-3.9 | noarch | openSUSE-Tumbleweed-Oss i+ | selinux-policy | package | 20231030-1.1 | noarch | openSUSE-Tumbleweed-Oss i | selinux-policy-devel | package | 20231030-1.1 | noarch | openSUSE-Tumbleweed-Oss i+ | selinux-policy-targeted | package | 20231030-1.1 | noarch | openSUSE-Tumbleweed-Oss i | selinux-tools | package | 3.5-5.2 | x86_64 | openSUSE-Tumbleweed-Oss Note: For an extended search including not yet activated remote resources please use 'zypper search-packages'. ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "longhorn-manager -d csi" unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 29151 25465 0 00:30 pts/1 00:00:00 grep --color=auto longhorn-manager -d csi ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "longhorn-manager -d csi" system_u:system_r:container_runtime_t:s0 root 31026 30576 0 00:32 ? 00:00:00 longhorn-manager -d csi --nodeid=ip-192-168-217-136 --endpoint=unix:///csi/csi.sock --drivername=driver.longhorn.io --manager-url=http://longhorn-backend:9500/v1 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 31183 25465 0 00:32 pts/1 00:00:00 grep --color=auto longhorn-manager -d csi ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "pause" system_u:system_r:container_t:s0:c231,c334 65535 2052 1848 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c58,c588 65535 2126 1927 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c271,c689 65535 2263 2200 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c93,c477 65535 2382 2217 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c26,c585 65535 2423 2301 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c97,c648 65535 2427 2315 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c142,c669 65535 2453 2311 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c418,c835 65535 2455 2347 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c641,c771 65535 2621 2554 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c226,c315 65532 2770 2679 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c109,c281 65535 3132 3062 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c209,c349 65535 3146 3079 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_runtime_t:s0 65535 3545 3474 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c308,c406 65535 3872 3766 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c126,c599 65535 3884 3837 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c115,c166 65535 4069 4018 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c242,c711 65535 4550 4458 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c254,c998 65535 4696 4625 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c175,c609 65535 4888 4793 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c467,c864 65535 5164 5003 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c548,c562 root 5356 5192 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c207,c515 65535 5795 5659 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c29,c545 65535 5845 5646 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c144,c888 65535 5951 5842 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c33,c413 65535 6033 5866 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c748,c926 65535 6134 6040 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_runtime_t:s0 65535 6630 6556 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_t:s0:c725,c738 65535 6821 6769 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_runtime_t:s0 65535 9132 9082 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_runtime_t:s0 65535 9143 9100 0 Nov20 ? 00:00:00 /pause system_u:system_r:container_runtime_t:s0 65535 30607 30576 0 00:32 ? 00:00:00 /pause
Other context:
k3s version: v1.27.7+k3s2
v1.27.7+k3s2
OS distribution:
ip-192-168-217-136:~ # cat /etc/os-release NAME="openSUSE Tumbleweed" # VERSION="20231119" ID="opensuse-tumbleweed" ID_LIKE="opensuse suse" VERSION_ID="20231119" PRETTY_NAME="openSUSE Tumbleweed" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:tumbleweed:20231119" BUG_REPORT_URL="https://bugzilla.opensuse.org" SUPPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org" DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed" LOGO="distributor-logo-Tumbleweed"
Found this while investigating https://github.com/longhorn/longhorn/issues/5348#issuecomment-1812677123.
I am technically using Tumbleweed, not MicroOS, but I am able to match the package versions of the initial raiser.
To be honest, I'm not really sure if this is a
k3s-selinuxbug or aselinux-policy-targetedbug. I tried to reproduce on RKE2, but I hit https://github.com/rancher/rke2-selinux/issues/56 for now.The problem manifests when upgrading
selinux-policy-targetedfrom20231012-1.1to120231030-1.1.Before the upgrade, privileged containers run correctly in the
spc_tdomain.After the upgrade, they stay in the
container_runtime_tdomain. This is the root cause of https://github.com/longhorn/longhorn/issues/5348#issuecomment-1812677123.Other context:
k3s version:
v1.27.7+k3s2OS distribution: