unable to run envoy proxy with selinux enforcing #2240

dweomer · 2020-09-12T00:04:53Z

Environmental Info:
k3s version v1.18.8+k3s1 (6b59531)
k3s version v1.19.1-rc1+k3s1 (041f18f)

Node(s) CPU architecture, OS, and Version:
Single-node amd64, CentOS 7:

# /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Describe the bug:
Unable to run envoy proxy with SELinux=Enforcing.

Steps To Reproduce

install k3s:

sudo yum install -y container-selinux selinux-policy-base https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm
curl -fsSL https://get.k3s.io | sudo sh

create envoy proxy pod:

kubectl run envoy --image=envoyproxy/envoy:v1.14.1

kubectl get pod envoy

NAME    READY   STATUS             RESTARTS   AGE
envoy   0/1     CrashLoopBackOff   1          10s

Expected behavior:
The pod runs without crashing

Actual behavior:
The pod is in a crash loop.

Additional context / logs:

sudo ausearch -ts recent -m avc

----
time->Fri Sep 11 23:58:44 2020
type=PROCTITLE msg=audit(1599868724.714:1069): proctitle=656E766F79002D63002F6574632F656E766F792F656E766F792E79616D6C
type=SYSCALL msg=audit(1599868724.714:1069): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc8812c3e0 a1=a00c2 a2=180 a3=121 items=0 ppid=7600 pid=7661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="envoy" exe="/usr/local/bin/envoy" subj=system_u:system_r:container_t:s0:c715,c888 key=(null)
type=AVC msg=audit(1599868724.714:1069): avc:  denied  { write } for  pid=7661 comm="envoy" name="/" dev="tmpfs" ino=65109 scontext=system_u:system_r:container_t:s0:c715,c888 tcontext=system_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0

The text was updated successfully, but these errors were encountered:

dweomer · 2020-09-12T02:36:46Z

In my initial assessment I thought that this was a policy miss in k3s-selinux: https://github.com/rancher/k3s-selinux/blob/470ebf7dc1f53ffcf9020521d6a263bf9f79f4bd/k3s.fc#L16

But, of course, there is no transition yet defined for the shm path as there is for rke2: https://github.com/rancher/rke2-selinux/blob/v0.2.testing.2/rke2.if#L21

Turns out, the transition is in container-selinux: https://github.com/containers/container-selinux/blob/RHEL7.5/container.te#L191

dweomer · 2020-09-14T16:35:54Z

With attempt to verify this on Fedora 32 on the chance that updated policy solves this (el7 ~ 2.119, f32 ~ 2.144)

cjellick · 2020-09-15T01:00:03Z

This won't make it into the initial 1.19 release, but we'll address it in a follow up.

davidnuzik · 2020-10-06T22:24:41Z

@dweomer Are you actually working on a fix now and have a way forward? Or should we put this in the backlog for now?

dweomer · 2020-10-06T22:26:15Z

@davidnuzik backlog I think but likely high-ish priority. Can maybe get to it later this week.

davidnuzik · 2020-11-03T17:15:39Z

We plan to take SELinux out of experimental in docs after the fix for this is in.

Addresses k3s-io#2240

Addresses #2240 Signed-off-by: Jacob Blain Christen <[email protected]>

see k3s-io/cri#7 addresses #2240 for 1.18 backport of #2478 to 1.3.x Signed-off-by: Jacob Blain Christen <[email protected]>

Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux.

Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Signed-off-by: Jacob Blain Christen <[email protected]>

ShylajaDevadiga · 2020-11-10T00:36:42Z

Validated using Commit ID c72c186 in CentOS 7.8 as well as RHEL 8.2 on SELinux Enforced systems.

$ k3s -v
k3s version v1.19.3+k3s-c72c1867
$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.2 (Ootpa)
$ sudo cat  /var/lib/rancher/k3s/etc/containerd/config.toml |grep selinux
  enable_selinux = true
$ kubectl get pod envoy
NAME    READY   STATUS    RESTARTS   AGE
envoy   1/1     Running   0          92s
[ec2-user@ip-172-31-33-149 ~]$

Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240. This is a backport of containerd/containerd#4699 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Signed-off-by: Jacob Blain Christen <[email protected]>

Address k3s-io/k3s#2240. Cherry-pick of containerd#1605 Signed-off-by: Jacob Blain Christen <[email protected]>

Addresses k3s-io/k3s#2240 Adapted from 6af326d Signed-off-by: Jacob Blain Christen <[email protected]>

ShylajaDevadiga · 2020-11-12T02:16:57Z

Validated the fix using commit 2c666af on rhel 7.8 as well rhel 8.2
selinux Enforced mode
hostIPC set to true

[ec2-user@ip-172-31-32-116 ~]$ k3s -v
k3s version v1.19.3+k3s-2c666af4 (2c666af4)
[ec2-user@ip-172-31-32-116 ~]$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/config.toml  |grep enable
  enable_selinux = true
[ec2-user@ip-172-31-32-116 ~]$ ls -alZ /dev/shm/
total 4
drwxrwxrwt.  2 root root system_u:object_r:tmpfs_t:s0            60 Nov 12 01:38 .
drwxr-xr-x. 18 root root system_u:object_r:device_t:s0         2720 Nov 12 01:27 ..
-rw-------.  1 root root system_u:object_r:container_file_t:s0  104 Nov 12 01:38 envoy_shared_memory_0
[ec2-user@ip-172-31-32-116 ~]$

Addresses k3s-io#2240 Signed-off-by: Jacob Blain Christen <[email protected]>

Addresses k3s-io/k3s#2240 Adapted from 6af326d Signed-off-by: Jacob Blain Christen <[email protected]>

dweomer added kind/bug Something isn't working [zube]: Working os/centos labels Sep 12, 2020

dweomer self-assigned this Sep 12, 2020

davidnuzik added this to the v1.19.1+k3s1 milestone Sep 15, 2020

cjellick modified the milestones: v1.19.1+k3s1, v1.19 - Backlog, v1.19.2+k3s2 Sep 15, 2020

davidnuzik modified the milestones: v1.19.2+k3s2, v1.19.3+k3s1 Oct 6, 2020

davidnuzik modified the milestones: v1.19.3+k3s1, v1.19.3+k3s2 Oct 14, 2020

davidnuzik added [zube]: Next Up and removed [zube]: Working labels Oct 16, 2020

galal-hussein mentioned this issue Oct 27, 2020

Istio support in rke2 rancher/rke2#504

Closed

davidnuzik modified the milestones: v1.19.3+k3s2, v1.19.4+k3s1 Oct 30, 2020

davidnuzik added [zube]: Working and removed [zube]: Next Up labels Nov 3, 2020

davidnuzik mentioned this issue Nov 3, 2020

[Documentation] Promote SELinux support (v1.19.4) #2473

Closed

dweomer added a commit to dweomer/k3s that referenced this issue Nov 5, 2020

cri: bump to updated fork

0a416c5

Addresses k3s-io#2240

dweomer added a commit to dweomer/k3s that referenced this issue Nov 5, 2020

cri: bump to updated fork

a922fed

Addresses k3s-io#2240

dweomer mentioned this issue Nov 7, 2020

[1.19 backport] cri: bump to updated fork #2486

Merged

dweomer added a commit that referenced this issue Nov 9, 2020

cri: bump to updated fork (#2478)

ce5c8ef

Addresses #2240 Signed-off-by: Jacob Blain Christen <[email protected]>

dweomer added a commit that referenced this issue Nov 9, 2020

cri: bump to updated fork (#2486)

32c5918

Addresses #2240 Signed-off-by: Jacob Blain Christen <[email protected]>

dweomer added a commit that referenced this issue Nov 9, 2020

cri: pull on fix for selinux relabel of /dev/shm (#2485)

f92c048

see k3s-io/cri#7 addresses #2240 for 1.18 backport of #2478 to 1.3.x Signed-off-by: Jacob Blain Christen <[email protected]>

dweomer added the [zube]: To Test label Nov 9, 2020

zube bot removed the [zube]: Working label Nov 9, 2020

davidnuzik assigned ShylajaDevadiga Nov 9, 2020

ShylajaDevadiga closed this as completed Nov 10, 2020

zube bot added [zube]: Done and removed [zube]: To Test labels Nov 10, 2020

ShylajaDevadiga mentioned this issue Nov 10, 2020

unable to run envoy proxy with selinux enforcing rancher/rke2#525

Closed

dweomer added a commit to k3s-io/cri that referenced this issue Nov 11, 2020

[release/1.4 backport] selinux: relabel /dev/shm

6af326d

Address k3s-io/k3s#2240. Cherry-pick of containerd#1605 Signed-off-by: Jacob Blain Christen <[email protected]>

This was referenced Nov 11, 2020

cri: pull in updated /dev/shm fix #2506

Merged

[backport 1.19] cri: pull in updated /dev/shm fix #2507

Merged

dweomer added a commit to k3s-io/cri that referenced this issue Nov 12, 2020

[backport release/1.3] selinux: relavel /dev/shm

e9ad336

Addresses k3s-io/k3s#2240 Adapted from 6af326d Signed-off-by: Jacob Blain Christen <[email protected]>

dweomer mentioned this issue Nov 12, 2020

[backport 1.18] cri: pull in updated /dev/shm fix #2508

Merged

ShylajaDevadiga reopened this Nov 12, 2020

zube bot added [zube]: To Triage and removed [zube]: Done labels Nov 12, 2020

ShylajaDevadiga closed this as completed Nov 12, 2020

zube bot added [zube]: Done and removed [zube]: To Triage labels Nov 12, 2020

briandowns pushed a commit to briandowns/k3s that referenced this issue Jan 14, 2021

cri: bump to updated fork (k3s-io#2478)

39f2e2d

Addresses k3s-io#2240 Signed-off-by: Jacob Blain Christen <[email protected]>

Oats87 removed the [zube]: Done label Feb 10, 2021

dweomer added a commit to k3s-io/cri that referenced this issue Mar 16, 2021

[backport release/1.3] selinux: relavel /dev/shm

065123f

Addresses k3s-io/k3s#2240 Adapted from 6af326d Signed-off-by: Jacob Blain Christen <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

unable to run envoy proxy with selinux enforcing #2240

unable to run envoy proxy with selinux enforcing #2240

dweomer commented Sep 12, 2020 •

edited

Loading

dweomer commented Sep 12, 2020

dweomer commented Sep 14, 2020 •

edited

Loading

cjellick commented Sep 15, 2020

davidnuzik commented Oct 6, 2020

dweomer commented Oct 6, 2020

davidnuzik commented Nov 3, 2020

ShylajaDevadiga commented Nov 10, 2020

ShylajaDevadiga commented Nov 12, 2020

unable to run envoy proxy with selinux enforcing #2240

unable to run envoy proxy with selinux enforcing #2240

Comments

dweomer commented Sep 12, 2020 • edited Loading

dweomer commented Sep 12, 2020

dweomer commented Sep 14, 2020 • edited Loading

cjellick commented Sep 15, 2020

davidnuzik commented Oct 6, 2020

dweomer commented Oct 6, 2020

davidnuzik commented Nov 3, 2020

ShylajaDevadiga commented Nov 10, 2020

ShylajaDevadiga commented Nov 12, 2020

dweomer commented Sep 12, 2020 •

edited

Loading

dweomer commented Sep 14, 2020 •

edited

Loading