search

rancher / rke2-selinux

RKE2 selinux + RPM packaging for selinux
Apache License 2.0
21 stars 21 forks source link

local-path-provisioner errors due to SELinux #28

Closed adelton closed 1 year ago

adelton commented 2 years ago

Description of problem

When setting up a RKE2 for quick testing, I'd like to use rancher/local-path-provisioner. However, the SELinux policy seems to prevent operations on /opt/local-path-provisioner.

Version-Release number of selected component (if applicable)

rke2-selinux-0.9-1.el8.noarch rke2-server-1.24.6~rke2r1-0.el8.x86_64 local-path-provisioner/v0.0.22

How reproducible

Deterministic.

Steps to Reproduce

  1. Have RHEL 8.5 as that's a supported OS per https://docs.rke2.io/install/requirements/
  2. Tweak NetworkManager per https://docs.rke2.io/known_issues/#networkmanager 
    ( echo '[keyfile]' ; echo 'unmanaged-devices=interface-name:cali*;interface-name:flannel*' ) > /etc/NetworkManager/conf.d/rke2-canal.conf
systemctl reload NetworkManager
  3. curl -sfL https://get.rke2.io | sh -
  4. systemctl start rke2-server.service
  5. export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/var/lib/rancher/rke2/bin
  6. Wait for kubectl get nodes to show the node Ready
  7. kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/v0.0.22/deploy/local-path-storage.yaml
  8. Have file pvc-1.yaml with content 
    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data-pvc-1
namespace: default
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
  storage: 1Gi
---
apiVersion: v1
kind: Pod
metadata:
name: test-local-path-1
spec:
restartPolicy: Never
containers:
- name: test-local-path-1
image: busybox
imagePullPolicy: IfNotPresent
volumeMounts:
- name: data
  mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
  claimName: data-pvc-1
  9. kubectl create -f pvc-1.yaml
  10. kubectl get pods --all-namespaces
  11. grep type=AVC /var/log/audit/audit.log
  12. ls -ldZ /opt/local-path-provisioner

Actual results

# kubectl get pods --all-namespaces
NAMESPACE            NAME                                                              READY   STATUS      RESTARTS   AGE
default              test-local-path-1                                                 0/1     Pending     0          18s
kube-system          cloud-controller-manager-machine.example.com                      1/1     Running     0          115s
kube-system          etcd-machine.example.com                                          1/1     Running     0          114s
kube-system          helm-install-rke2-canal-9htvx                                     0/1     Completed   0          99s
kube-system          helm-install-rke2-coredns-9dqxq                                   0/1     Completed   0          99s
kube-system          helm-install-rke2-ingress-nginx-dhbnq                             0/1     Completed   0          99s
kube-system          helm-install-rke2-metrics-server-zl8cl                            0/1     Completed   0          98s
kube-system          kube-apiserver-machine.example.com                                1/1     Running     0          108s
kube-system          kube-controller-manager-machine.example.com                       1/1     Running     0          118s
kube-system          kube-proxy-machine.example.com                                    1/1     Running     0          103s
kube-system          kube-scheduler-machine.example.com                                1/1     Running     0          116s
kube-system          rke2-canal-z7cxb                                                  2/2     Running     0          88s
kube-system          rke2-coredns-rke2-coredns-76cb76d66-2lmzw                         1/1     Running     0          89s
kube-system          rke2-coredns-rke2-coredns-autoscaler-58867f8fc5-gpr59             1/1     Running     0          89s
kube-system          rke2-ingress-nginx-controller-kqfq4                               1/1     Running     0          55s
kube-system          rke2-metrics-server-6979d95f95-fnppk                              1/1     Running     0          65s
local-path-storage   helper-pod-create-pvc-638e22f1-636c-4aae-8393-69acfd5b648d        0/1     Error       0          18s
local-path-storage   local-path-provisioner-7fdb4745c6-kz4k2                           1/1     Running     0          50s
# grep type=AVC /var/log/audit/audit.log 
type=AVC msg=audit(1665053580.137:245): avc:  denied  { write } for  pid=20157 comm="mkdir" name="local-path-provisioner" dev="dm-0" ino=69539799 scontext=system_u:system_r:container_t:s0:c270,c666 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
# ls -ldZ /opt/local-path-provisioner
drwxr-xr-x. 2 root root system_u:object_r:usr_t:s0 6 Oct  6 06:52 /opt/local-path-provisioner

Expected results

test-local-path-1 Running or Complete. helper-pod-create-pvc-* not Errored.

No AVC denial.

The /opt/local-path-provisioner likely should have a label that the provisioner container will be comfortable with.

galal-hussein commented 1 year ago

Thanks for openning the issue @adelton, the rke2-selinux policy unfortunately does not offer support to addons other than the ones installed by default with rke2 including https://github.com/rancher/rke2/blob/master/Dockerfile#L108-L122, however the current issue can be resolved simply by adding a custom allow policy for the /opt/local-path-provisioner directory

adelton commented 1 year ago

Thanks. I confirm that

# chcon -t container_file_t /opt/local-path-provisioner

fixes the issue.