-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build #274
Comments
Alas, I was unable to repro this with a separate runc binary and runc integration tests. |
Is this still happening? Does runc write out a binary file and then execute it? |
This looks like runc creates the binary, and then sets the SELinux label on the container at which point it starts executing the binary. Can we set the SELinux label later, only when it executes PID1 process? |
@rhatdan this is an intermediate init binary (which does nothing else except executing the container init process); the binary is created in container's state directory ( Alas, I can't repro this without cri-o. |
I have a repro now: opencontainers/runc#4053. I also have a workaround (disable dmz if selinux is in enforcing mode and process.selinuxLabel is set in config), but I am not a huge fan of doing things that way. |
Filed runc issue: opencontainers/runc#4057 which for some reason shows slightly different avc denials than this issue. |
I suggested setting the @rhatdan Is this something that should be possible or something we can enable, or is there something I'm doing wrong? Since we set the process label to the container label with the same privileges, it seems strange to be unable to set a file to have the same label. The only other alternative is to not use |
If you call label.SetFSCreateLabel(mount_label) before creating the object, then the container_t should be able to use it. |
For some reason it doesn't work. Maybe it's not working with (will provide logs a bit later) |
I checked the logs and they are the same with and without the patch that adds Here's the log from a run on CentOS 9, before the proposed fix:
Here is one after the fix (i.e. with
I assume that it just doesn't work for |
Indeed, it appears that the fd created by memfd_create does not take fscreatecon into account. I added a check in the code to see if the memfd label is as expected, and it is not:
Here's the code that does it: opencontainers/runc@650a51b |
That quite possibly is a kernel issue. I will ping the SELinux kernel developers on this. For now we can add allow rules to container-selinux policy, and then over time remove the rules, once we have a fixed kernel. |
@kolyshkin Could you allow the entrpoint rule and see what AVC's get created? |
With the entrypoint allowed (in opencontainers/runc@48336b6), I get this on CentOS 9:
It's similar for CentOS 8 and Fedora 38. On CentOS 7 I see:
|
With these rules
it works on all distros we test with selinux (centos 7,8,9 and latest fedora). I am going to also test it with cri-o ci (where the problem was initially discovered), as I'm not sure my tests cover all the bases. |
For containers/container-selinux#274. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Tested; looks OK (cri-o/cri-o#7359) |
I would prefer if we allowed the label to be changed by the runtime (setting the We can set |
Fixes: containers#274 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
It is not a huge loosening of security to allow containers to read/execute content created in a tmpfs by the container runtimes. Although I would like to remove it at some point. |
Problem Statement:
For the past few days, the CRI-O CI has been encountering severe issues on both Fedora 36 and RHEL 9.2. Upon investigation, SELinux AVC denials have been identified as the root cause.
Setting SELinux to permissive mode resolves the issue.
The following command was used to identify the necessary permissions.
The problem appears to be related to a recent update in the main branch of runc, specifically in the pull request: opencontainers/runc#3987. According to the runc maintainer, an intermediate binary was added which requires additional permissions to fix this issue.
Expected Behavior:
CRI-O CI tests should run successfully without encountering SELinux AVC denials.
Additional Information:
Operating System: Fedora 36, RHEL 9.2
The text was updated successfully, but these errors were encountered: