-
Bug
-
Resolution: Done
-
Critical
-
4.20.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
Yes
-
None
-
Rejected
-
OCP Node Sprint 270 (Green)
-
1
-
Proposed
-
Enhancement
-
-
-
-
None
-
None
Description of problem:
After a pr https://github.com/openshift/machine-config-operator/pull/4933 from mcp team merged, the /etc/docker SElinux label has changed from system_u:object_r:etc_t:s0 to system_u:object_r:cert_t:s0, it causing the folder can be mounted by non-privileged pod
it works for previous ocp version lower 4.19
Version-Release number of selected component (if applicable):
4.19.0-0.nightly-multi-2025-04-14-134206
How reproducible:
Always occured in latest 4.19 nightly build
it works for previous ocp version lower 4.19
Steps to Reproduce:
1. launch an ocp cluster
2. create a pod using hostmount-anyuid scc and create a host path volume for /etc/docker, like:
$oc new-project lwan-test
$oc create sa pod-hostpath
$oc adm policy add-scc-to-user hostmount-anyuid -z pod-hostpath -n lwan-test
$oc create -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-mount-hostmount-anyuid
labels:
app: test-mount-hostmount-anyuid
spec:
replicas: 1
selector:
matchLabels:
app: test-mount-hostmount-anyuid
template:
metadata:
annotations:
openshift.io/required-scc: hostmount-anyuid
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
app: test-mount-hostmount-anyuid
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- s390x
- ppc64le
containers:
- image: quay.io/openshifttest/hello-openshift:arm-amd-1.2.0
imagePullPolicy: IfNotPresent
name: test-mount-pri
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsNonRoot: true
volumeMounts:
- mountPath: /etc/docker/
name: docker-conf
readOnly: true
- mountPath: /etc/containers/
name: containers-conf
readOnly: true
serviceAccount: pod-hostpath
serviceAccountName: pod-hostpath
securityContext:
runAsNonRoot: true
volumes:
- hostPath:
path: /etc/docker/
type: DirectoryOrCreate
name: docker-conf
- hostPath:
path: /etc/containers/
type: DirectoryOrCreate
name: containers-conf
EOF
3. login to pod, check if there is "/etc/docker/certs.d"
Actual results:
the /etc/docker/certs.d can't be mounted
Expected results:
the /etc/docker/certs.d can be mounted
Additional info:
1. the seliunx denial message:
$sh-5.1# ausearch -m AVC -ts recent
----
time->Tue Apr 15 09:44:53 2025
type=PROCTITLE msg=audit(1744710293.886:1932): proctitle=6C73002F6574632F646F636B6572
type=SYSCALL msg=audit(1744710293.886:1932): arch=c000003e syscall=2 success=no exit=-13 a0=7f3054828ab0 a1=98000 a2=0 a3=0 items=0 ppid=38367 pid=38387 auid=4294967295 uid=1001 gid=0 euid=1001 suid=1001 fsuid=1001 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="ls" exe="/usr/bin/coreutils" subj=system_u:system_r:container_t:s0:c27,c28 key=(null)
type=AVC msg=audit(1744710293.886:1932): avc: denied { read } for pid=38387 comm="ls" name="docker" dev="nvme0n1p4" ino=37749568 scontext=system_u:system_r:container_t:s0:c27,c28 tcontext=system_u:object_r:container_config_t:s0 tclass=dir permissive=0
2. the selinux label
sh-5.1# ls -laZ /etc/docker/
total 12
drwxr-xr-x. 3 root root system_u:object_r:container_config_t:s0 21 Apr 14 08:40 .
drwxr-xr-x. 97 root root system_u:object_r:etc_t:s0 8192 Apr 14 09:00 ..
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 147 Apr 14 11:41 certs.d
- blocks
-
-
- Closed
-
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
