search

redhat-cop / ocp4-helpernode

This playbook helps set up an "all-in-one" node, that has all the infrastructure/services in order to install OpenShift 4.
335 stars 301 forks source link

Running local-registry container in privileged mode #307

Closed varad-ahirwadkar closed 1 year ago

varad-ahirwadkar commented 1 year ago

For RHEL 9, selinux prevents access for running local-registry container in unprivileged mode.

varad-ahirwadkar commented 1 year ago

/cc @Prajyot-Parab @yussufsh

Prajyot-Parab commented 1 year ago

@varad-ahirwadkar have you tested this change with RHEL 8? also if this is a limitation with RHEL 9, is there any doc reference to take a look at.

varad-ahirwadkar commented 1 year ago

Yes it is working with RHEL 8. With RHEL 9, crun is not working so updated to RHEL 9.1.

I did not find any doc with this limitation, but selinux prevents access for all unprivileged containers with enforcing mode. With privileged container or selinux permissive mode able to create containers.

local-registry container:

# sealert -l 606b9df0-ae7b-4f5e-b05f-52ccc1e31ba1
SELinux is preventing /bin/registry from create access on the tcp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that registry should be allowed create access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'registry' --raw | audit2allow -M my-registry
# semodule -X 300 -i my-registry.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c114,c681
Target Context                system_u:system_r:container_t:s0:c114,c681
Target Objects                port None [ tcp_socket ]
Source                        registry
Source Path                   /bin/registry
Port                          <Unknown>
Host                          ocp4alll633.pok.stglabs.ibm.com
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ocp4alll633.pok.stglabs.ibm.com
Platform                      Linux ocp4alll633.pok.stglabs.ibm.com
                              5.14.0-162.18.1.el9_1.ppc64le #1 SMP Thu Feb 9
                              04:10:54 EST 2023 ppc64le ppc64le
Alert Count                   1
First Seen                    2023-03-09 00:23:15 EST
Last Seen                     2023-03-09 00:23:15 EST
Local ID                      606b9df0-ae7b-4f5e-b05f-52ccc1e31ba1

Raw Audit Messages
type=AVC msg=audit(1678339395.455:1435): avc:  denied  { create } for  pid=19957 comm="registry" scontext=system_u:system_r:container_t:s0:c114,c681 tcontext=system_u:system_r:container_t:s0:c114,c681 tclass=tcp_socket permissive=0

type=SYSCALL msg=audit(1678339395.455:1435): arch=ppc64le syscall=socket success=no exit=EACCES a0=2 a1=80801 a2=0 a3=0 items=0 ppid=19955 pid=19957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm=registry exe=/bin/registry subj=system_u:system_r:container_t:s0:c114,c681 key=(null)

Hash: registry,container_t,container_t,tcp_socket,create

nginx container

SELinux is preventing /usr/sbin/nginx from using the chown capability.

busybox with echo

SELinux is preventing /bin/echo from 'read, write' accesses on the chr_file /dev/pts/0.
Prajyot-Parab commented 1 year ago

@varad-ahirwadkar Running containers with privileged mode is not recommended in general, did you explore on any other workarounds.

varad-ahirwadkar commented 1 year ago

Yes other workaround is to set selinux mode to permissive.

varad-ahirwadkar commented 1 year ago

I am closing this PR because the issue not seen on RHEL 9.2.