Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privileged containers run as container_runtime_t instead of spc_t on MicroOS #53

Open
ejweber opened this issue Nov 21, 2023 · 0 comments
Open

Privileged containers run as container_runtime_t instead of spc_t on MicroOS #53

ejweber opened this issue Nov 21, 2023 · 0 comments

Comments

@ejweber
Copy link

ejweber commented Nov 21, 2023
edited
Loading

Found this while investigating longhorn/longhorn#5348 (comment).

I am technically using Tumbleweed, not MicroOS, but I am able to match the package versions of the initial raiser.

To be honest, I'm not really sure if this is a k3s-selinux bug or a selinux-policy-targeted bug. I tried to reproduce on RKE2, but I hit rancher/rke2-selinux#56 for now.

The problem manifests when upgrading selinux-policy-targeted from 20231012-1.1 to 120231030-1.1.

Before the upgrade, privileged containers run correctly in the spc_t domain.

ip-192-168-217-136:/home/ec2-user # tumbleweed version
20231030

ip-192-168-217-136:/home/ec2-user # zypper search -si selinux
Loading repository data...
Reading installed packages...

S  | Name                     | Type    | Version          | Arch   | Repository
---+--------------------------+---------+------------------+--------+-----------------------------------
i+ | container-selinux        | package | 2.222.0-1.2      | noarch | openSUSE-Tumbleweed-Oss (20231030)
i+ | k3s-selinux              | package | 1.4.stable.1-1.3 | noarch | openSUSE-Tumbleweed-Oss (20231030)
i  | libselinux1              | package | 3.5-5.2          | x86_64 | openSUSE-Tumbleweed-Oss (20231030)
i  | microos_selinux          | pattern | 5.0-81.1         | x86_64 | (System Packages)
i+ | patterns-microos-selinux | package | 5.0-81.1         | x86_64 | (System Packages)
i  | python311-selinux        | package | 3.5-5.2          | x86_64 | openSUSE-Tumbleweed-Oss (20231030)
i  | selinux-autorelabel      | package | 3.1-3.9          | noarch | openSUSE-Tumbleweed-Oss (20231030)
i+ | selinux-policy           | package | 20231012-1.1     | noarch | openSUSE-Tumbleweed-Oss (20231030)
i  | selinux-policy-devel     | package | 20231030-1.1     | noarch | (System Packages)
i+ | selinux-policy-targeted  | package | 20231012-1.1     | noarch | openSUSE-Tumbleweed-Oss (20231030)
i  | selinux-tools            | package | 3.5-5.2          | x86_64 | openSUSE-Tumbleweed-Oss (20231030)

ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "longhorn-manager -d csi"
system_u:system_r:spc_t:s0      root     12788  4678  0 19:27 ?        00:00:00 longhorn-manager -d csi --nodeid=ip-192-168-217-136 --endpoint=unix:///csi/csi.sock --drivername=driver.longhorn.io --manager-url=http://longhorn-backend:9500/v1
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 22254 17226  0 19:42 pts/1 00:00:00 grep --color=auto longhorn-manager -d csi

ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "pause"
system_u:system_r:container_t:s0:c311,c885 65535 2308 2148  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c337,c548 65535 2323 2162  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c289,c892 65535 2580 2395  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c591,c694 65535 3028 2737  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c683,c711 65535 3094 2755  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c802,c836 65535 3112 2878  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c298,c963 65535 3243 3029  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c465,c934 65532 3250 3068  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c447,c862 65535 3520 3404  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c455,c839 65535 3523 3303  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c405,c908 root 3621 3414  0 19:26 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c400,c525 65535 3722 3512  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c160,c677 65535 3966 3718  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c132,c522 65535 4049 3850  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c96,c539 65535 4081 3856  0 19:26 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c57,c457 65535 4092 3821  0 19:26 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c20,c927 65535 4161 3989  0 19:26 ?   00:00:00 /pause
system_u:system_r:spc_t:s0      65535     4403  4131  0 19:26 ?        00:00:00 /pause
system_u:system_r:container_t:s0:c703,c910 65535 4554 4306  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c623,c860 65535 4562 4418  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c28,c545 65535 4799 4654  0 19:26 ?   00:00:00 /pause
system_u:system_r:spc_t:s0      65535     4850  4678  0 19:26 ?        00:00:00 /pause
system_u:system_r:spc_t:s0      65535     4924  4794  0 19:26 ?        00:00:00 /pause
system_u:system_r:container_t:s0:c559,c630 65535 5042 4832  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c229,c625 65535 5228 5169  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c609,c795 65535 5603 5486  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c203,c988 65535 6102 6001  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c384,c827 65535 6163 6075  0 19:26 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c451,c720 65535 6391 6325  0 19:26 ?  00:00:00 /pause
system_u:system_r:spc_t:s0      65535     9407  9340  0 19:27 ?        00:00:00 /pause
system_u:system_r:spc_t:s0      65535     9414  9379  0 19:27 ?        00:00:00 /pause
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 22313 17226 99 19:42 pts/1 00:00:00 grep --color=auto pause

After the upgrade, they stay in the container_runtime_t domain. This is the root cause of longhorn/longhorn#5348 (comment).

ip-192-168-217-136:/home/ec2-user # tumbleweed version
repositories have not been initialized for snapshots
  Try /usr/bin/tumbleweed init

ip-192-168-217-136:/home/ec2-user # zypper search -si selinux
Loading repository data...
Reading installed packages...

S  | Name                     | Type    | Version          | Arch   | Repository
---+--------------------------+---------+------------------+--------+------------------------
i+ | container-selinux        | package | 2.222.0-1.2      | noarch | openSUSE-Tumbleweed-Oss
i+ | k3s-selinux              | package | 1.4.stable.1-1.3 | noarch | openSUSE-Tumbleweed-Oss
i  | libselinux1              | package | 3.5-5.2          | x86_64 | openSUSE-Tumbleweed-Oss
i  | microos_selinux          | pattern | 5.0-81.1         | x86_64 | openSUSE-Tumbleweed-Oss
i+ | patterns-microos-selinux | package | 5.0-81.1         | x86_64 | openSUSE-Tumbleweed-Oss
i  | python311-selinux        | package | 3.5-5.2          | x86_64 | openSUSE-Tumbleweed-Oss
i  | selinux-autorelabel      | package | 3.1-3.9          | noarch | openSUSE-Tumbleweed-Oss
i+ | selinux-policy           | package | 20231030-1.1     | noarch | openSUSE-Tumbleweed-Oss
i  | selinux-policy-devel     | package | 20231030-1.1     | noarch | openSUSE-Tumbleweed-Oss
i+ | selinux-policy-targeted  | package | 20231030-1.1     | noarch | openSUSE-Tumbleweed-Oss
i  | selinux-tools            | package | 3.5-5.2          | x86_64 | openSUSE-Tumbleweed-Oss

    Note: For an extended search including not yet activated remote resources please use 'zypper
    search-packages'.

ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "longhorn-manager -d csi"
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 29151 25465  0 00:30 pts/1 00:00:00 grep --color=auto longhorn-manager -d csi

ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "longhorn-manager -d csi"
system_u:system_r:container_runtime_t:s0 root 31026 30576  0 00:32 ?   00:00:00 longhorn-manager -d csi --nodeid=ip-192-168-217-136 --endpoint=unix:///csi/csi.sock --drivername=driver.longhorn.io --manager-url=http://longhorn-backend:9500/v1
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 31183 25465  0 00:32 pts/1 00:00:00 grep --color=auto longhorn-manager -d csi

ip-192-168-217-136:/home/ec2-user # ps -efZ | grep "pause"
system_u:system_r:container_t:s0:c231,c334 65535 2052 1848  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c58,c588 65535 2126 1927  0 Nov20 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c271,c689 65535 2263 2200  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c93,c477 65535 2382 2217  0 Nov20 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c26,c585 65535 2423 2301  0 Nov20 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c97,c648 65535 2427 2315  0 Nov20 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c142,c669 65535 2453 2311  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c418,c835 65535 2455 2347  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c641,c771 65535 2621 2554  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c226,c315 65532 2770 2679  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c109,c281 65535 3132 3062  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c209,c349 65535 3146 3079  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_runtime_t:s0 65535 3545 3474  0 Nov20 ?    00:00:00 /pause
system_u:system_r:container_t:s0:c308,c406 65535 3872 3766  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c126,c599 65535 3884 3837  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c115,c166 65535 4069 4018  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c242,c711 65535 4550 4458  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c254,c998 65535 4696 4625  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c175,c609 65535 4888 4793  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c467,c864 65535 5164 5003  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c548,c562 root 5356 5192  0 Nov20 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c207,c515 65535 5795 5659  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c29,c545 65535 5845 5646  0 Nov20 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c144,c888 65535 5951 5842  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_t:s0:c33,c413 65535 6033 5866  0 Nov20 ?   00:00:00 /pause
system_u:system_r:container_t:s0:c748,c926 65535 6134 6040  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_runtime_t:s0 65535 6630 6556  0 Nov20 ?    00:00:00 /pause
system_u:system_r:container_t:s0:c725,c738 65535 6821 6769  0 Nov20 ?  00:00:00 /pause
system_u:system_r:container_runtime_t:s0 65535 9132 9082  0 Nov20 ?    00:00:00 /pause
system_u:system_r:container_runtime_t:s0 65535 9143 9100  0 Nov20 ?    00:00:00 /pause
system_u:system_r:container_runtime_t:s0 65535 30607 30576  0 00:32 ?  00:00:00 /pause

Other context:

k3s version: v1.27.7+k3s2

OS distribution:

ip-192-168-217-136:~ # cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20231119"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20231119"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20231119"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ejweber