Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20022

SELinux: kubelet running with wrong label

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.15.0
    • 4.13.z
    • Node / Kubelet
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the kubelet was running with the `unconfined_service_t` SELinux type. As a consequence, all our plugins failed to deploy due to an Selinux denial. With this fix, the kubelet now runs with the `kubelet_exec_t` SELinux type. As a result, plugins deploy as expected. (link:https://issues.redhat.com/browse/OCPBUGS-20022[*OCPBUGS-20022*])
      Show
      * Previously, the kubelet was running with the `unconfined_service_t` SELinux type. As a consequence, all our plugins failed to deploy due to an Selinux denial. With this fix, the kubelet now runs with the `kubelet_exec_t` SELinux type. As a result, plugins deploy as expected. (link: https://issues.redhat.com/browse/OCPBUGS-20022 [* OCPBUGS-20022 *])
    • Bug Fix
    • Done

      Description of problem:

      It looks like kubelet is running with `unconfined_service_t`. It should run as `kubelet_exec_t`. This is causing all our plugins to fail because of Selinux denial.

sh-5.1# ps -AZ | grep kubelet
system_u:system_r:unconfined_service_t:s0 8719 ? 00:24:50 kubelet
sh-5.1# ls -Z /usr/bin/kubelet
system_u:object_r:kubelet_exec_t:s0 /usr/bin/kubelet

       

      Version-Release number of selected component (if applicable):

      OCP 4.13

      How reproducible:

      Make sure SELinux is not disabled.
Deploy any any  of the intel device plugins.
This should be reproducinble with any plugins as long as they are not running as spc_t

       

       

       

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      type=AVC msg=audit(1696283412.807:7035): avc:  denied  { connectto } for  pid=2680643 comm="intel_qat_devic" path="/var/lib/kubelet/device-plugins/kubelet.sock" scontext=system_u:system_r:container_device_plugin_t:s0:c53,c1014 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

      Expected results:

      The selinux should not deny socket access.

      Additional info:

      the kubelet was running with correct label in 4.12.x but its not in 4.13.x.

              pehunt@redhat.com Peter Hunt
              manish.regmi1@intel.com Manish Regmi (Inactive)
              Sunil Choudhary Sunil Choudhary
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: