search

rancher / rke2-selinux

RKE2 selinux + RPM packaging for selinux
Apache License 2.0
21 stars 21 forks source link

rke2-selinux needs watch for container_var_lib_t by rke2_service_t on SLE Micro #47

Closed rdoxenham closed 1 year ago

rdoxenham commented 1 year ago

On SLE Micro (it might also be the same for other platforms), the audit logs complain about { watch } access for the TLS certificates; these certificates are labelled as container_var_lib_t and are trying to be accessed by rke2_service_t. The pods still start, and seemingly function, but these logs loop fairly regularly so we probably want to clear this up:

type=AVC msg=audit(1688489170.834:228): avc:  denied  { watch } for  pid=1971 comm="kube-apiserver" path="/var/lib/rancher/rke2/server/tls/request-header-ca.crt" dev="vda3" ino=22326 scontext=system_u:system_r:rke2_service_t:s0:c143,c230 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1688489170.834:229): avc:  denied  { watch } for  pid=1971 comm="kube-apiserver" path="/var/lib/rancher/rke2/server/tls/client-auth-proxy.crt" dev="vda3" ino=22328 scontext=system_u:system_r:rke2_service_t:s0:c143,c230 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1688489170.834:230): avc:  denied  { watch } for  pid=1971 comm="kube-apiserver" path="/var/lib/rancher/rke2/server/tls/request-header-ca.crt" dev="vda3" ino=22326 scontext=system_u:system_r:rke2_service_t:s0:c143,c230 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1688489170.834:231): avc:  denied  { watch } for  pid=1971 comm="kube-apiserver" path="/var/lib/rancher/rke2/server/tls/client-ca.crt" dev="vda3" ino=22294 scontext=system_u:system_r:rke2_service_t:s0:c143,c230 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1688489170.834:232): avc:  denied  { watch } for  pid=1971 comm="kube-apiserver" path="/var/lib/rancher/rke2/server/tls/client-ca.crt" dev="vda3" ino=22294 scontext=system_u:system_r:rke2_service_t:s0:c143,c230 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1688489170.834:233): avc:  denied  { watch } for  pid=1971 comm="kube-apiserver" path="/var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt" dev="vda3" ino=22323 scontext=system_u:system_r:rke2_service_t:s0:c143,c230 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
galal-hussein commented 1 year ago

just to clarify some issues, the watch permission is only available starting from kernel 5.4 I believe, according to the article https://lwn.net/Articles/794240/ 

The selinux_inode_notify hook implementation works by adding five new file
permissions: watch, watch_mount, watch_sb, watch_reads, and watch_with_perm
(descriptions about which will follow), and one new filesystem permission:
watch (which is applied to superblock checks).

so basically any older kernel version will have a problem having the allow statement unless selinux config is configured with handle_unkown: allow on the system level.

So the safest approach to fix the issue is to allow the watch permissions on systems that support recent kernels out of the box, currently I have a pr that fixes the issue for RHEL9 only, as for other distros with upgraded kernel I think we should only release note that issue with a workaround by adding a custom policy.

cc @cwayne18 @dweomer

galal-hussein commented 1 year ago

I will be closing this issue as its a duplicate of https://github.com/rancher/rke2-selinux/issues/31 and will track the fix there