Using Cilium on MicroOS with SELinux triggers audit warning #66

jhoelzel · 2024-03-28T09:02:27Z

as with #50 its the same problem for cilium.

nyc3-prod-02-master-0-bwyji:/home/deploy cat /var/log/audit/audit.log | grep "denied"
type=AVC msg=audit(1711564489.897:215): avc:  denied  { write } for  pid=3034 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c217,c278 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711564489.917:216): avc:  denied  { write } for  pid=3043 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c217,c278 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711564489.927:217): avc:  denied  { write } for  pid=3048 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c217,c278 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711567283.879:166): avc:  denied  { write } for  pid=2395 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c30,c180 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711567283.899:167): avc:  denied  { write } for  pid=2409 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c30,c180 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711567283.909:168): avc:  denied  { write } for  pid=2414 comm="cp" name="bin" dev="vda3" ino=258 scontext=system_u:system_r:container_t:s0:c30,c180 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711612728.803:164): avc:  denied  { add_name } for  pid=2520 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c874,c957 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711612728.830:165): avc:  denied  { add_name } for  pid=2529 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c874,c957 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711612728.847:166): avc:  denied  { add_name } for  pid=2534 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c874,c957 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711613974.095:156): avc:  denied  { add_name } for  pid=2417 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c528,c547 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711613974.125:157): avc:  denied  { add_name } for  pid=2426 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c528,c547 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711613974.135:158): avc:  denied  { add_name } for  pid=2431 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c528,c547 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614531.767:186): avc:  denied  { add_name } for  pid=2717 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c554,c621 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614531.797:187): avc:  denied  { add_name } for  pid=2736 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c554,c621 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614531.811:188): avc:  denied  { add_name } for  pid=2741 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c554,c621 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614574.775:1048): avc:  denied  { create } for  pid=4753 comm="cp" name="dummy" scontext=system_u:system_r:container_t:s0:c305,c487 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614574.798:1049): avc:  denied  { create } for  pid=4762 comm="cp" name="portmap" scontext=system_u:system_r:container_t:s0:c305,c487 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614574.812:1050): avc:  denied  { create } for  pid=4767 comm="cp" name="tap" scontext=system_u:system_r:container_t:s0:c305,c487 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.935:190): avc:  denied  { write } for  pid=2824 comm="cp" path="/host/opt/cni/bin/dummy" dev="vda3" ino=278 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.935:191): avc:  denied  { remove_name } for  pid=2824 comm="cp" name="dummy" dev="vda3" ino=278 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614816.958:192): avc:  denied  { write } for  pid=2833 comm="cp" path="/host/opt/cni/bin/portmap" dev="vda3" ino=279 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.958:193): avc:  denied  { remove_name } for  pid=2833 comm="cp" name="portmap" dev="vda3" ino=279 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1711614816.968:194): avc:  denied  { write } for  pid=2838 comm="cp" path="/host/opt/cni/bin/tap" dev="vda3" ino=280 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
type=AVC msg=audit(1711614816.968:195): avc:  denied  { remove_name } for  pid=2838 comm="cp" name="tap" dev="vda3" ino=280 scontext=system_u:system_r:container_t:s0:c587,c923 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0

Fix so far:

nyc3-prod-02-master-0-bwyji:/home/deploy # cat mypolicy.te

module mypolicy 1.0;

require {
        type usr_t;
        type container_t;
        class dir { add_name remove_name write };
        class file { create unlink write };
}

#============= container_t ==============


allow container_t usr_t:dir { add_name remove_name write };

allow container_t usr_t:file { create unlink write };

as usual not happy and needs to be improved but works for now ;)

The text was updated successfully, but these errors were encountered:

jhoelzel · 2024-03-29T21:51:45Z

Cilium runs as {"level":"s0","type":"spc_t"}

module cilium_selinux 1.2;
require {
    type usr_t;
    type container_t;
    class dir { add_name remove_name write };
    class file { create unlink write };
 #   class process transition;
}

# Define the new type
type container_t_cilium, container_domain;
typeattribute container_t_cilium container_t;

# Allow container_t_cilium to transition from container_t
#allow container_t container_t_cilium:process transition;

#============= container_t_cilium ==============

# Inherit container_t permissions
roleattribute container_t_cilium container_t;

# Specify additional permissions for container_t_cilium
allow container_t_cilium usr_t:dir { add_name remove_name write };
allow container_t_cilium usr_t:file { create unlink write };

but i still had no luck i would still receive the same log entries as above so for now the general solution it is

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Using Cilium on MicroOS with SELinux triggers audit warning #66

Using Cilium on MicroOS with SELinux triggers audit warning #66

jhoelzel commented Mar 28, 2024

jhoelzel commented Mar 29, 2024

Using Cilium on MicroOS with SELinux triggers audit warning #66

Using Cilium on MicroOS with SELinux triggers audit warning #66

Comments

jhoelzel commented Mar 28, 2024

jhoelzel commented Mar 29, 2024