search

k3s-io / k3s-selinux

SELinux policy for k3s
Apache License 2.0
69 stars 20 forks source link

Persistent volume creation fails using the Local Path Provisioner with SELinux enabled. #9

Closed cruizer closed 4 years ago

cruizer commented 4 years ago

Hello,

I have run into this issue, while setting up my CentOS 8 / K3s lab.

Persistent volume claims fail to bind using K3s' built-in Local Path Provisioner, SELinux is blocking the directory creation:

type=AVC msg=audit(1590840690.471:714): avc:  denied  { create } for  pid=17975 comm="mkdir" name="pvc-f349b28b-12cd-42c1-ad7b-f1bf018f9171" scontext=system_u:system_r:container_t:s0:c228,c866 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1590840690.471:714): arch=c000003e syscall=83 per=400000 success=no exit=-13 a0=7ffd8cb6676d a1=1ff a2=7ffd8cb6679b a3=1ff items=0 ppid=17862 pid=17975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:container_t:s0:c228,c866 key=(null)^]ARCH=x86_64 SYSCALL=mkdir AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

The problem is gone after setting the SELinux mode to Permissive.

The policy RPM and required SELinux utils have been installed:

[root@nas yaml]#  rpm -qa | grep selinux
rpm-plugin-selinux-4.14.2-26.el8_1.x86_64
python3-libselinux-2.9-2.1.el8.x86_64
libselinux-utils-2.9-2.1.el8.x86_64
container-selinux-2.124.0-1.module_el8.1.0+298+41f9343a.noarch
selinux-policy-3.14.3-20.el8.noarch
k3s-selinux-0.1.1-rc1.el7.noarch
selinux-policy-targeted-3.14.3-20.el8.noarch
libselinux-2.9-2.1.el8.x86_64

This is a fresh install of CentOS:

[root@nas yaml]#  cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
[root@nas yaml]#  uname -a
Linux nas.example.com 4.18.0-147.8.1.el8_1.x86_64 #1 SMP Thu Apr 9 13:49:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@nas yaml]#  k3s --version
k3s version v1.18.3+k3s1 (96653e8d)

Example volume claim:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: owncloud-redis
  namespace: default
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 2Gi
cruizer commented 4 years ago

Setting the container_file_t file context for the whole Local Path Provisioner subdirectory solves the issue:

# semanage fcontext -a -t container_file_t  "/var/lib/rancher/k3s/storage(/.*)?"
# restorecon -R  /var/lib/rancher/k3s/storage/

I will submit a pull request to update the policy shortly.

cruizer commented 4 years ago

I have opened pull request #10 . Let me know if any issue needs fixing. :)