-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.13.0
-
None
Description of problem:
The fileintegritynodestatuses will always show FAIL on nodes once a selinux profile created, even after a manual reinit
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-04-21-084440 + FIOv1.2.1
How reproducible:
Always
Steps to Reproduce:
- Install FIO and create a fileintegrity
$ oc apply -f -<<EOF
apiVersion: fileintegrity.openshift.io/v1alpha1
kind: FileIntegrity
metadata:
name: example-fileintegrity
spec:
config:
gracePeriod: 60
maxBackups: 5
debug: true
EOF
2. Install SPO
3. Create a new namespace
$ oc new-project demo
4. Add labels
$ oc label ns demo security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged --overwrite=true namespace/demo labeled $ oc label ns demo spo.x-k8s.io/enable-recording="true" namespace/demo labeled
5. Create SELinux Profile
$ oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha2 kind: SelinuxProfile metadata: name: demo1 namespace: demo spec: allow: '@self': tcp_socket: - listen http_cache_port_t: tcp_socket: - name_bind node_t: tcp_socket: - node_bind inherit: - kind: System name: container EOF
Actual results:
The fileintegritynodestatuses will always show FAIL on one or several nodes once a selinux profile created, even after a manual reinit. $ oc get fileintegritynodestatuses NAME NODE STATUS example-fileintegrity-xiyuan23-2-8hhz7-master-0 xiyuan23-2-8hhz7-master-0 Failed example-fileintegrity-xiyuan23-2-8hhz7-master-1 xiyuan23-2-8hhz7-master-1 Succeeded example-fileintegrity-xiyuan23-2-8hhz7-master-2 xiyuan23-2-8hhz7-master-2 Succeeded example-fileintegrity-xiyuan23-2-8hhz7-worker-eastus1-72782 xiyuan23-2-8hhz7-worker-eastus1-72782 Succeeded example-fileintegrity-xiyuan23-2-8hhz7-worker-eastus2-6xtwl xiyuan23-2-8hhz7-worker-eastus2-6xtwl Succeeded example-fileintegrity-xiyuan23-2-8hhz7-worker-eastus3-9sv8v xiyuan23-2-8hhz7-worker-eastus3-9sv8v Succeeded $ oc get cm NAME DATA AGE aide-example-fileintegrity-xiyuan23-2-8hhz7-master-0-failed 1 94m aide-example-fileintegrity-xiyuan23-2-8hhz7-master-1-failed 1 111m aide-example-fileintegrity-xiyuan23-2-8hhz7-master-2-failed 1 111m aide-example-fileintegrity-xiyuan23-2-8hhz7-worker-eastus1-72782-failed 1 89m aide-example-fileintegrity-xiyuan23-2-8hhz7-worker-eastus2-6xtwl-failed 1 107m aide-example-fileintegrity-xiyuan23-2-8hhz7-worker-eastus3-9sv8v-failed 1 108m aide-pause 1 5h3m aide-reinit 1 5h3m example-fileintegrity 1 5h3m kube-root-ca.crt 1 5h4m openshift-service-ca.crt 1 5h4m $ oc extract cm/aide-example-fileintegrity-xiyuan23-2-8hhz7-master-0-failed --confirm integritylog $ cat integritylog Start timestamp: 2023-04-23 08:38:08 +0000 (AIDE 0.16) AIDE found differences between database and filesystem!! Summary: Total number of entries: 32226 Added entries: 1 Removed entries: 4 Changed entries: 0 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++: /hostroot/root/.bash_history --------------------------------------------------- Removed entries: --------------------------------------------------- f----------------: /hostroot/etc/selinux/final/targeted/contexts/files/file_contexts f----------------: /hostroot/etc/selinux/final/targeted/contexts/files/file_contexts.homedirs f----------------: /hostroot/etc/selinux/final/targeted/policy/policy.33 f----------------: /hostroot/etc/selinux/final/targeted/seusers --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /hostroot/etc/kubernetes/aide.db.gz MD5 : Zl8h8ALIVL5YgMQfEpc2+A== SHA1 : tWuL+lVFKK+g0gjE/kQLEzYTfhU= RMD160 : v2pdKp0jCkTReQNUU+4MmEuH4e8= TIGER : nRx89oeatcrRdl0h/KqSSDA+0dsgGqTE SHA256 : VsQNN7cLOoxQHzobjv5+3+bl/g/1uEbu byFf+Gbpf/M= SHA512 : VYTClUFp5IBnQSFF1L9q50sW5FXUlRD5 uA2AywSXGwy9d1fl3pL9O4kUXRnMNaz6 qMSQ9tfRSR3R2eaV23BMpA== End timestamp: 2023-04-23 08:38:40 +0000 (run time: 0m 32s) $ oc extract cm/aide-example-fileintegrity-xiyuan23-2-8hhz7-master-1-failed --confirm integritylog $ cat integritylog Start timestamp: 2023-04-23 08:32:01 +0000 (AIDE 0.16) AIDE found differences between database and filesystem!! Summary: Total number of entries: 32224 Added entries: 4 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- d++++++++++++++++: /hostroot/etc/selinux/final/targeted d++++++++++++++++: /hostroot/etc/selinux/final/targeted/contexts d++++++++++++++++: /hostroot/etc/selinux/final/targeted/contexts/files d++++++++++++++++: /hostroot/etc/selinux/final/targeted/policy --------------------------------------------------- Changed entries: --------------------------------------------------- d ... n ... : /hostroot/etc/selinux/final --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /hostroot/etc/selinux/final Linkcount: 2 | 3 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /hostroot/etc/kubernetes/aide.db.gz MD5 : clZ9pvsYqSuYZNfiiEhbkA== SHA1 : LbDyuL6fPWR4DSsFPURxgsSWstc= RMD160 : be1ZqPwdVqoTJQffTJukq4kh3LM= TIGER : o7O6IH5ZfCo4I8oOQFgMeX8Pb7gWut1n SHA256 : QvcsW74bMZyX1t0BQ2i2LDWWAuNc/bfh bSygReVaaec= SHA512 : 90kHwjuwshxfGb3vO4Ig3bQdAi/8gGyt JEcFKGcCH5BeV7iBegIvJcpiG6t3cjRo LosqtXNgSabhSI4tGsXjjQ== End timestamp: 2023-04-23 08:32:30 +0000 (run time: 0m 29s)
Expected results:
No fileintegritynodestatus shows Failed after a manual reinit.
Additional info: