Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42419

kubelet-service: path is missing from the restorecon command

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.18.0
    • Machine Config Operator
    • None
    • None
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      Description of problem:

      Before the kubelet systemd service runs kubelet binary it calls the restorecon command:
https://github.com/openshift/machine-config-operator/blob/master/templates/worker/01-worker-kubelet/on-prem/units/kubelet.service.yaml#L13 

But the restorecon command expects a path to be given.
providing a path is mandatory.
see man page: https://linux.die.net/man/8/restorecon

At the moment the command does nothing and the error
is swallowed due to the dash (-) in the beginning
of the command.

This results with files that are labeled with wrong SELinux labels.
for example:
After https://github.com/containers/container-selinux/pull/329 got merged /var/lib/kubelet/pod-resources/* expected to be running with kubelet_var_lib_t label but it's not. it's running with the old label - container_var_lib_t

      Version-Release number of selected component (if applicable):

          4.18

      How reproducible:

          Always

      Steps to Reproduce:

          1. Check the SELinux labels of files under the system with ls -Z command.

      Actual results:

          files are labeled with a wrong SELinux labels

      Expected results:

      file's SELinux labels are suppose the match their configuration as it captured in the container-selinux package.

      Additional info:

            team-mco Team MCO
            titzhak Talor Itzhak
            Sunil Choudhary Sunil Choudhary
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: