Using Cilium on MicroOS with SELinux triggers audit warning

[jhoelzel]

as with #50 its the same problem for cilium.

nyc3-prod-02-master-0-bwyji:/home/deploy cat /var/log/audit/audit.log | grep "denied"
type=AVC msg=audit(1711564489.897:215): avc:  denied  { write } for  pid=3034 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c217,c278 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711564489.917:216): avc:  denied  { write } for  pid=3043 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c217,c278 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711564489.927:217): avc:  denied  { write } for  pid=3048 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c217,c278 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711567283.879:166): avc:  denied  { write } for  pid=2395 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c30,c180 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711567283.899:167): avc:  denied  { write } for  pid=2409 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c30,c180 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711567283.909:168): avc:  denied  { write } for  pid=2414 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c30,c180 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711612728.803:164): avc:  denied  { add_name } for  pid=2520 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c874,c957 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711612728.830:165): avc:  denied  { add_name } for  pid=2529 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c874,c957 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711612728.847:166): avc:  denied  { add_name } for  pid=2534 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c874,c957 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711613974.095:156): avc:  denied  { add_name } for  pid=2417 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c528,c547 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711613974.125:157): avc:  denied  { add_name } for  pid=2426 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c528,c547 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711613974.135:158): avc:  denied  { add_name } for  pid=2431 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c528,c547 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614531.767:186): avc:  denied  { add_name } for  pid=2717 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c554,c621 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614531.797:187): avc:  denied  { add_name } for  pid=2736 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c554,c621 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614531.811:188): avc:  denied  { add_name } for  pid=2741 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c554,c621 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614574.775:1048): avc:  denied  { create } for  pid=4753 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c305,c487 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614574.798:1049): avc:  denied  { create } for  pid=4762 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c305,c487 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614574.812:1050): avc:  denied  { create } for  pid=4767 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c305,c487 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.935:190): avc:  denied  { write } for  pid=2824 comm="cp" path="/host/opt/cni/bin/dummy" dev="vda3" ino=278 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.935:191): avc:  denied  { remove_name } for  pid=2824 comm="cp" name="dummy" dev="vda3" ino=278 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614816.958:192): avc:  denied  { write } for  pid=2833 comm="cp" path="/host/opt/cni/bin/portmap" dev="vda3" ino=279 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.958:193): avc:  denied  { remove_name } for  pid=2833 comm="cp" name="portmap" dev="vda3" ino=279 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614816.968:194): avc:  denied  { write } for  pid=2838 comm="cp" path="/host/opt/cni/bin/tap" dev="vda3" ino=280 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.968:195): avc:  denied  { remove_name } for  pid=2838 comm="cp" name="tap" dev="vda3" ino=280 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0

Fix so far:

nyc3-prod-02-master-0-bwyji:/home/deploy # cat mypolicy.te

module mypolicy 1.0;

require {
        type usr_t;
        type container_t;
        class dir { add_name remove_name write };
        class file { create unlink write };
}

#============= container_t ==============

allow container_t usr_t:dir { add_name remove_name write };

allow container_t usr_t:file { create unlink write };

as usual not happy and needs to be improved but works for now ;)

[jhoelzel]

Cilium runs as {"level":"s0","type":"spc_t"}

module cilium_selinux 1.2;
require {
    type usr_t;
    type container_t;
    class dir { add_name remove_name write };
    class file { create unlink write };
 #   class process transition;
}

# Define the new type
type container_t_cilium, container_domain;
typeattribute container_t_cilium container_t;

# Allow container_t_cilium to transition from container_t
#allow container_t container_t_cilium:process transition;

#============= container_t_cilium ==============

# Inherit container_t permissions
roleattribute container_t_cilium container_t;

# Specify additional permissions for container_t_cilium
allow container_t_cilium usr_t:dir { add_name remove_name write };
allow container_t_cilium usr_t:file { create unlink write };

but i still had no luck i would still receive the same log entries as above so for now the general solution it is