Open jhoelzel opened 1 year ago
So far my workaround is this selinux policy, but this is to borad i think:
module calico-selinux-workaround 1.0;
require {
type container_t;
type var_lib_t;
class file { read open };
}
#============= container_t ==============
allow container_t var_lib_t:file read;
allow container_t var_lib_t:file open;
@jhoelzel Thats a fine workaround, but its a security concern to give any container (container_t) access to /var/lib files, the /var/lib/calico directory needs to be relabeled with container_var_lib_t instead of /var/lib/t
ya, I imagined as much =)
then this is probably better:
module calico-selinux-workaround 1.0;
require {
type container_t;
type calico_var_lib_t; # Descriptive type for /var/lib/calico
class file { read open };
}
# Allow access to the /var/lib/calico directory
allow container_t calico_var_lib_t:file read;
allow container_t calico_var_lib_t:file open;
semanage fcontext -a -t calico_var_lib_t "/var/lib/calico(/.*)?"
restorecon -Rv /var/lib
i will test this extensively this week and let the thread know how it goes
Any updates on this? We've been bitten by this issue on SLE Micro 5.5 as well.
so this has been working for me on microos with selinux enabled, your milage may vary:
custom_selinux = <<EOF
module rke2-selinux-workaround 1.0;
require {
type var_lib_t;
type container_var_lib_t;
type rke2_service_t;
type auditd_log_t;
class dir { write add_name};
class file { watch create open append read};
}
#============= rke2_service_t ==============
allow rke2_service_t container_var_lib_t:file watch;
allow rke2_service_t var_lib_t:dir write;
allow rke2_service_t var_lib_t:dir { write add_name};
allow rke2_service_t var_lib_t:file { create };
# allow to write to audit log
allow rke2_service_t var_lib_t:file { append open read };
allow rke2_service_t auditd_log_t:file { create open read append };
EOF
When I deploy a fresh rke2 cluster with SE Linxu and Calico enabled I find a lot of acces logs for calico in the audit.log
there is a related issue on k3s but no solution yet:
https://github.com/k3s-io/k3s/discussions/6523?ysclid=ll3dyqfu9x671829725
Just to clarify im not using rke2 with disabled cni but am rolling with:
cni: calico
In the rke2 config