cmurphy
commented
3 years ago cc @dweomer @cbron
Closed cmurphy closed 3 years ago
cmurphy
commented
3 years ago cc @dweomer @cbron
cmurphy
commented
3 years ago Updated to remove the new file context. For the record, these are the files that container-selinux applies the container_var_lib_t label to:
/exports(/.*)? all files system_u:object_r:container_var_lib_t:s0
/var/lib/lxc(/.*)? all files system_u:object_r:container_var_lib_t:s0
/var/lib/lxd(/.*)? all files system_u:object_r:container_var_lib_t:s0
/var/lib/ocid(/.*)? all files system_u:object_r:container_var_lib_t:s0
/var/lib/docker(/.*)? all files system_u:object_r:container_var_lib_t:s0
/var/lib/registry(/.*)? all files system_u:object_r:container_var_lib_t:s0
/var/lib/containers(/.*)? all files system_u:object_r:container_var_lib_t:s0
/var/lib/docker-latest(/.*)? all files system_u:object_r:container_var_lib_t:s0
Without this patch, in both RKE1 and RKE2, containers that need to read /var/log/containers (such as the fluentbit containers from the logging operator) are denied by SELinux. In the case of RKE1, regular containers running with type container_t are blocked from reading container logs in /var/log/containers whose file context type are container_log_t, as well as from following those symlinks to the true path of the logs in /var/lib/docker/containers which docker creates with file context type container_var_lib_t. In the case of RKE1, regular containers are blocked from reading container log files and from following symlinks to /var/log/pods.
The container-selinux package allows containers to transition to domain container_logreader_t, which solves part of the problem but does not allow containers to follow symlinks or read internal docker state files.
This patch adds new policy rules to create a new container_domain type rke_logreader_t which containers can transition to. This domain allows containers to read container log files and to follow symlinks to their true locations. It also allows them to read files with label container_var_lib_t, though this is only required for RKE1 and not RKE2.
This RPM will now need to be newly installed on RKE1, so a rename may be necessary.
https://github.com/rancher/rancher/issues/30949