Using Calico on MicroOS with SELinux triggers audit warning

[jhoelzel]

When I deploy a fresh rke2 cluster with SE Linxu and Calico enabled I find a lot of acces logs for calico in the audit.log

type=AVC msg=audit(1691564510.662:794): avc:  denied  { read } for  pid=13698 comm="operator" name="mtu" dev="vda3" ino=35883 scontext=system_u:system_r:container_t:s0:c321,c914 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1691564511.722:795): avc:  denied  { read } for  pid=13698 comm="operator" name="mtu" dev="vda3" ino=35883 scontext=system_u:system_r:container_t:s0:c321,c914 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1691564512.952:796): avc:  denied  { read } for  pid=13698 comm="operator" name="mtu" dev="vda3" ino=35883 scontext=system_u:system_r:container_t:s0:c321,c914 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1691564513.332:797): avc:  denied  { read } for  pid=13698 comm="operator" name="mtu" dev="vda3" ino=35883 scontext=system_u:system_r:container_t:s0:c321,c914 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1691564517.625:798): avc:  denied  { read } for  pid=13698 comm="operator" name="mtu" dev="vda3" ino=35883 scontext=system_u:system_r:container_t:s0:c321,c914 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

there is a related issue on k3s but no solution yet:

https://github.com/k3s-io/k3s/discussions/6523?ysclid=ll3dyqfu9x671829725

Just to clarify im not using rke2 with disabled cni but am rolling with:

cni: calico

In the rke2 config

[jhoelzel]

So far my workaround is this selinux policy, but this is to borad i think:

module calico-selinux-workaround 1.0;
require {
        type container_t;
        type var_lib_t;
        class file { read open };
}

#============= container_t ==============
allow container_t var_lib_t:file read;
allow container_t var_lib_t:file open;

[galal-hussein]

@jhoelzel Thats a fine workaround, but its a security concern to give any container (container_t) access to /var/lib files, the /var/lib/calico directory needs to be relabeled with container_var_lib_t instead of /var/lib/t

[jhoelzel]

ya, I imagined as much =)

then this is probably better:

module calico-selinux-workaround 1.0;
require {
    type container_t;
    type calico_var_lib_t;    # Descriptive type for /var/lib/calico
    class file { read open };
}

# Allow access to the /var/lib/calico directory
allow container_t calico_var_lib_t:file read;
allow container_t calico_var_lib_t:file open;

        semanage fcontext -a -t calico_var_lib_t "/var/lib/calico(/.*)?"
        restorecon -Rv /var/lib

i will test this extensively this week and let the thread know how it goes

[e-minguez]

Any updates on this? We've been bitten by this issue on SLE Micro 5.5 as well.

[jhoelzel]

so this has been working for me on microos with selinux enabled, your milage may vary:

custom_selinux = <<EOF
module rke2-selinux-workaround 1.0;

require {
        type var_lib_t;
        type container_var_lib_t;
        type rke2_service_t;
        type auditd_log_t;
        class dir { write add_name};
        class file { watch create open append read};
}

#============= rke2_service_t ==============
allow rke2_service_t container_var_lib_t:file watch;
allow rke2_service_t var_lib_t:dir write;
allow rke2_service_t var_lib_t:dir { write add_name};
allow rke2_service_t var_lib_t:file {  create  };
# allow to write to audit log
allow rke2_service_t var_lib_t:file { append open read };
allow rke2_service_t auditd_log_t:file { create open read append };

EOF