Create new SELinux policy for kubevirt project

[wrabcak]

New container type "virt_launcher_t" should allow running VMs inside
containers.

Solution is provided as workaround for following bugzilla tickets:
https://bugzilla.redhat.com/show_bug.cgi?id=1795975
https://bugzilla.redhat.com/show_bug.cgi?id=1795964

[rhatdan]

I would prefer if you added the container_domain to this?

[stu-gott]

if I understand what you meant by this, the parent (container_domain) of this is the domain that should be added to sandbox_net_domain?

[wrabcak]

@rhatdan, We cannot assign attribute to attribute in m4 :/

[rhatdan]

No I am suggesting that
typeattribute virt_launcer_t, container_domain;

[wrabcak]

Policy updated.

[rhatdan]

Why does it need this access?

[stu-gott]

I do not think this line is useful. I removed it from the module in kubevirt/kubevirt#2934 -- which is still pending merge, but the fate of that PR is tied to this one.

I inspected the filesystems on random virt-launcher and virt-handler containers. The container_share_t label was not present at all. If it were present (and we really needed write access to it), that's much more likely to be properly fixed with relabelling than adding an allow-write rule to a type that's supposed to be read-only.

[wrabcak]

As this is temporary solution, I allowed what was in previous cil policy. @fabiand mentioned that they will work on KubeVirt project to drop some access to make these containers more secure. No problem I can remove this line.

[rhatdan]

We can create a type for virt-launcher to create in the policy than it would create that type when it runs in the /var/run directory.

type virt_launcher_var_run_t;
files_pid_file(virt_launcher_var_run_t)
files_pid_filetrans(virt_launcher_t, virt_launcher_var_run_t, { dir file lnk_file sock_file })
files_trans(virt_launcher_t, container_var_run_t, virt_launcher_var_run_t, dir)
manage_files_pattern(virt_launcher_t, virt_launcher_var_run_t, virt_launcher_var_run_t)
manage_lnk_files_pattern(virt_launcher_t, virt_launcher_var_run_t, virt_launcher_var_run_t)
manage_dirs_pattern(virt_launcher_t, virt_launcher_var_run_t, virt_launcher_var_run_t)

[rhatdan]

Add a file context
/var/run/kubevirt-private(/.*)? gen_context(system_u:object_r:virt_launcher_var_run_t,s0)

[rhatdan]

We could do similar for the content created in /tmp.

[wrabcak]

Changed in the commit.

[rhatdan]

Are these runtime files being added to the container?
Do we know what command they are executing to launch the containers?

[stu-gott]

Some time ago we used to use /tmp/healthy for file-based health monitoring--we don't anymore. I'm wondering if this is cruft left over from that.

I'm currently verifying if there's any other consequences to removing this.

[wrabcak]

Okay, this probably could be removed also.

[stu-gott]

I tested removing this line and lots of tests failed. Oddly they failed on access to files such as this:

/var/run/kubevirt-private/vmi-disks/disk0/disk.img

Which is probably a secondary effect as that is a bindmounted elsewhere. Would it be ok to leave this rule in place?

[stu-gott]

Follow-up: the above is a side-effect. CDI's upload server still uses /tmp/healthy to report status. Either the startup script is crashing because it can't write there, or k8s is crashlooping the pod because it never reports as healthy.

One KubeVirt component still does require read/write access to /tmp.

[rhatdan]

Can we just label the content in /var/run/kubevert-private to container_file_t, or volume mount it into the container engine with the :Z or :z options?

[stu-gott]

The issue with /var/run/kubevirt-private was a red herring. the real issue was that the CDI upload server failed to start when I removed permissions to write to /tmp.

[rhatdan]

This looks wrong, is this a labeling issue? IE are we mounting content in /run created by the container runtime, without a :Z?

[stu-gott]

/var/run/kubevirt-infra/healthy is being written to by the virt-launcher process. Since that's technically a new file created after the container is running, would that be why this is needed?

[wrabcak]

@stu-gott are you bind mounting this file to the container space?

[stu-gott]

Yes I believe so. virt-handler reports health on behalf of virt-launcher (which is isolated from cluster resources), thus the bind mount.

[wrabcak]

@rhatdan do we have something like :Z for bindmounts for kubernetes?

[rhatdan]

You can add this to the destination, I believe, and then CRI-O will relabel the content.

[stu-gott]

I think it would be better if we left KubeVirt as-is for the moment. Otherwise we get into this weird situation where we need a compatibility matrix to know what versions of kubevirt will run on what versions of RHCOS.

[wrabcak]

@fabiand could you please look on comments from Dan? I'm not sure what's going on inside a container.
Thanks,
Lukas.

[stu-gott]

@wrabcak I'm currently verifying whether or not we still need read/write access to /tmp, but other than that, I've added my insights to @rhatdan's questions/observations. If there's still further questions/clarifications please don't hesitate to ask.

[wrabcak]

Hi @stu-gott ,
I also put some comments. Please review.

[fabiand]

@rhatdan @wrabcak thanks for the feedback. I do agree with Stu that I'd prefer to see the policies taken over as they are, because this is how the exist in upstream KubeVirt.
Please bear in mind that this is to enable KubeVirt initially, the long term approach is to move to svirt which @enp0s3 is working on.

Thus I'd really appreciate if we can merge it as is and get rid of it in 1year again.

[wrabcak]

I understand the pressure to merge the PR. However, @rhatdan needs to decide.

Thanks,
Lukas.

[rhatdan]

If you would clarify which directories kubervirt needs to write to, then we could do a much better job at securing the container. If we are going to just allow it to write all over the system, then we should just run it as spc_t.

[fabiand]

I understand. Sadly - and it's not unwillingness - I am just not able to provide the relevant data. Thus I thank for teh support, but I suppose that we should then just go with spc_t and focus on the other side to go with svirt.

[wrabcak]

I updated the PR based on comments from @rhatdan and @stu-gott .

[wrabcak]

What is the current state @fabiand are you using spc_t ?

[fabiand]

KubeVirt was using spc_t, but then came up with it's custom linux policy. This will work today for non RHCOS/FCOS hosts. RedHat's CNV is using spc_t (based on the KubeVirt code which was also using spc_t), and will now continue to use spc_t until we are able to switch to svirt_t. The intermediate steps - like adding our custom policy to container-selinux - are just a little difficult to do atm.

[wrabcak]

Understand.

@rhatdan Could we close the PR?

[rhatdan]

Sure, but we are also having a lot of conversations about how to support kata containers, which might have similar issues to kubevirt. Basically we need a lvm_container_t, that is able to run as a VM and able to read/write container_file_t content.

[wrabcak]

@rhatdan , Understand. We should open some Issue on this project where we could discuss it. I don't think this is a good place for discussion about kata containers.

Thanks,
Lukas.

[rhatdan]

We now have container_kvm_t, which satisfies this need

[fabiand]

Just for the record: container_kvm_t is probably not what KubeVirt can use. But now we have switched to an approache where we are shipping our custom type during KubeVirt deployment.