Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7550

Selinux denials on EL8 based pods running atop RHCOS9

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Critical
    • None
    • 4.13.0
    • Containers, Node / CRI-O
    • None
    • Critical
    • Yes
    • Approved
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      When debugging why the baremetal networking stack fails when running on RHCOS9 (Currently Centos Stream 9) we're observing selinux access denials to system libraries inside the pod. These pods are privileged but they are not host mounting paths for these system libraries.

      Version-Release number of selected component (if applicable):

      4.13 RHCOS 9.2

      How reproducible:

      100%

      Steps to Reproduce:

      1. Install using a RHCOS 9.2 build on baremetal, observe selinux denials
2. oc adm release extract --command=openshift-install quay.io/sdodsonrht/rhcos9.2:413.92.202302081904-0
3. ./openshift-install

      Actual results:

      type=AVC msg=audit(1676426562.256:2813): avc:  denied  { read } for  pid=281167 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c220,c813 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1676426563.097:2814): avc:  denied  { read } for  pid=281270 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c175,c184 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1676426563.858:2815): avc:  denied  { read } for  pid=281357 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c24,c227 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1676426564.671:2816): avc:  denied  { read } for  pid=281465 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c845,c1009 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0

      Expected results:

      No selinux denials

      Additional info:

      I'll attach the pod spec to this jira. The container in question is the initContainer.

# rpm -q container-selinux selinux-policy-targeted cri-o crun runc

container-selinux-2.199.0-1.el9.noarch
selinux-policy-targeted-38.1.5-1.el9.noarch
cri-o-1.26.1-4.rhaos4.13.gita78722c.el9.x86_64
crun-1.8-1.el9.x86_64
runc-1.1.4-1.el9.x86_64

       

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. COS-1926 Move RHCOS to RHEL 9.2 in OCP 4.13

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-7293 RHCOS 9.2 Failing to Bootstrap on Metal, OpenStack, vSphere (all baremetal runtime platforms)

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              pehunt@redhat.com Peter Hunt
              rhn-support-sdodson Scott Dodson
              David Darrah David Darrah
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: