Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1214810 - SELinux blocking k8s applications
Summary: SELinux blocking k8s applications
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Atomic
Classification: Retired
Component: kernel
Version: unspecified
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On: 1165982 1193590
Blocks: 1222060 1227096
TreeView+ depends on / blocked
 
Reported: 2015-04-23 15:07 UTC by Jay Vyas
Modified: 2016-06-10 13:41 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1165982
: 1222060 1227096 (view as bug list)
Environment:
Last Closed: 2016-06-10 13:41:13 UTC
RHEL 7.3 requirements from Atomic Host:
Embargoed:

Attachments (Terms of Use)

Description Jay Vyas 2015-04-23 15:07:03 UTC 
Description of the problem

In atomic with kubernetes, running the examples/k8petstore application, we get the following trace.

host12-rack10: Apr 23 10:55:47 host12-rack10.scale.openstack.engineering.redhat.com kernel: type=1400 audit(1429800947.568:5672): avc:  denied  { read } for  pid=6679 comm="redis-server" name="dump.rdb" dev="dm-1" ino=12757262 scontext=system_u:system_r:svirt_lxc_net_t:s0:c61,c652 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file
host12-rack10: Apr 23 10:55:47 host12-rack10.scale.openstack.engineering.redhat.com kernel: type=1400 audit(1429800947.566:5671): avc:  denied  { rename } for  pid=6679 comm="redis-server" name="temp-1429800947.9.rdb" dev="dm-1" ino=12757262 scontext=system_u:system_r:svirt_lxc_net_t:s0:c61,c652 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file
host12-rack10: Apr 23 10:55:47 host12-rack10.scale.openstack.engineering.redhat.com kernel: type=1400 audit(1429800947.513:5670): avc:  denied  { write open } for  pid=6679 comm="redis-server" path="/data/temp-1429800947.9.rdb" dev="dm-1" ino=12757262 scontext=system_u:system_r:svirt_lxc_net_t:s0:c61,c652 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file
host12-rack10: Apr 23 10:55:47 host12-rack10.scale.openstack.engineering.redhat.com kernel: type=1400 audit(1429800947.511:5669): avc:  denied  { create } for  pid=6679 comm="redis-server" name="temp-1429800947.9.rdb" scontext=system_u:system_r:svirt_lxc_net_t:s0:c61,c652 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=file


This is indicating that SELinux doesn't like the some of the actions being done by the redis components.  

To launch this applicatoin in kubernetes, you can run https://raw.githubusercontent.com/GoogleCloudPlatform/kubernetes/master/examples/k8petstore/k8petstore.sh .
Comment 1 Daniel Walsh 2015-04-23 15:17:43 UTC 
Is this /data being volume mounted into the container, could it be done with the :Z or :z option.

:Z will tell it to use private labeling, :z Will tell it to use shared labeling. (Shared between containers).
Comment 2 Jay Vyas 2015-05-13 21:08:57 UTC 
Its been a while, but This happens on dirs that are not being mounted also iirc.
Comment 3 Jay Vyas 2015-05-14 20:10:46 UTC 
FYI, from IRC

<SteveWatt> </html>
<SteveWatt>  the mounted directory is /test
<SteveWatt> it is mounting /opt
<j_brb> SteveWatt, 
<j_brb> May 13 17:29:28 host15-rack11.scale.openstack.engineering.redhat.com kernel: type=1400 audit(1431552568.781:6): avc:  denied  { read } for  pid=122076 comm="nginx" name="hello.html" dev="dm-0" ino=8435109 scontext=system_u:system_r:svirt_lxc_net_t:s0:c125,c316 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
<j_brb> -bash-4.2# 
<j_brb> Theres your error ^^^^^^^^^^^6
<j_brb> journalctl --since yesterday |grep avc <--- that is how to grab the selinux log for it.
Comment 4 Daniel Walsh 2015-05-14 20:23:00 UTC 
You need to fix the labels on the volume you are mounting into the container.
Comment 5 Timothy St. Clair 2015-05-14 20:44:13 UTC 
@pmorie, any insight here?  

Currently the k8's submission is declarative, we only specify hostPath the actual mounting details are handled by the kubelet.
Comment 6 Jay Vyas 2015-05-15 16:01:04 UTC 
More details...  another labelling issue most likely when we attempt to run e2e hostDir test (pending into kubernetes), we get ....  

  Expected error:
      <*errors.errorString | 0xc20825aef0>: {
          s: "pod pod-b4623a77-fb1a-11e4-8c06-ecf4bbc72674 terminated with failure: &{ExitCode:1 Signal:0 Reason: Message: StartedAt:2015-05-15 11:54:45 -0400 EDT FinishedAt:2015-05-15 11:54:45 -0400 EDT Contain
erID:docker://bee5e651dd1ecd1346e53afe8bd293555dd2af55ca174caea6b3e860b4d72df4}",
      }
      pod pod-b4623a77-fb1a-11e4-8c06-ecf4bbc72674 terminated with failure: &{ExitCode:1 Signal:0 Reason: Message: StartedAt:2015-05-15 11:54:45 -0400 EDT FinishedAt:2015-05-15 11:54:45 -0400 EDT ContainerID:doc
ker://bee5e651dd1ecd1346e53afe8bd293555dd2af55ca174caea6b3e860b4d72df4}
  not to have occurred

when attempting to read/write onto a mounted volume.

This is reproduced by 

(1) enabling selinux
(2) running test/e2e/hostDir.go (might be moved, pr is https://github.com/GoogleCloudPlatform/kubernetes/pull/7756 ).
Comment 7 Daniel Walsh 2015-05-15 17:43:41 UTC 
Can you pass a Read/Only flag?  If yes then you should be able to pass a Shared/Private flag for relabeling. Of course this has not made it into docker upstream, but it is very close.
Comment 8 Paul Morie 2015-05-19 18:27:55 UTC 
Cross-posted from 1222060:

TL;DR recap of my phone convo w/ Tim SC:

There is no treatment for selinux wrt hostDir plugin.  Eventually, the security work going on now will ensure that the selinux context is relabeled so that it plays nice with the selinux context a container is running in.

For now, I would look at whether the policy changed around /var/lib/kubelet during 7.1.1 -> present.
Comment 9 Daniel Walsh 2016-06-10 13:41:13 UTC 
I am closing this since I believe it is fixed in current release.
Note You need to log in before you can comment on or make changes to this bug.