Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Selinux compliance #106

Closed
clopnis opened this issue May 5, 2021 · 10 comments · Fixed by #185
Closed

Selinux compliance #106

clopnis opened this issue May 5, 2021 · 10 comments · Fixed by #185
Assignees
@bpetit
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers help wanted Extra attention is needed
Milestone
Release v0.5.0

Comments

@clopnis
Copy link

clopnis commented May 5, 2021

Bug description

Scaphandre doesn't provide selinux module to be granted, so scaphandre is not supposed able to reach /proc files

To Reproduce

Run podman scaphandre on a CentOS node with Selinux permissive or enforced.

Expected behavior

type=PROCTITLE` msg=audit(1620219205.083:466054): proctitle=2F7573722F6C6F63616C2F62696E2F7363617068616E6472650070726F6D657468657573 type=AVC msg=audit(1620219205.085:466055): avc: denied { getattr } for pid=4193349 comm="actix-rt:worker" path="/proc/958137" dev="proc" ino=18576650 scontext=system_u:system_r:container_t:s0:c118,c962 tcontext=system_u:system_r:svirt_t:s0:c589,c604 tclass=dir permissive=1 type=SYSCALL msg=audit(1620219205.085:466055): arch=c000003e syscall=332 success=yes exit=0 a0=ffffffffffffff9c a1=7f215c0c5530 a2=0 a3=fff items=0 ppid=4193337 pid=4193349 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="actix-rt:worker" exe="/usr/local/bin/scaphandre" subj=system_u:system_r:container_t:s0:c118,c962 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1620219205.085:466055): proctitle=2F7573722F6C6F63616C2F62696E2F7363617068616E6472650070726F6D657468657573 type=AVC msg=audit(1620219205.086:466056): avc: denied { getattr } for pid=4193349 comm="actix-rt:worker" path="/proc/2826870" dev="proc" ino=46793641 scontext=system_u:system_r:container_t:s0:c118,c962 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir permissive=1 type=SYSCALL msg=audit(1620219205.086:466056): arch=c000003e syscall=332 success=yes exit=0 a0=ffffffffffffff9c a1=7f215c08c900 a2=0 a3=fff items=0 ppid=4193337 pid=4193349 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="actix-rt:worker" exe="/usr/local/bin/scaphandre" subj=system_u:system_r:container_t:s0:c118,c962 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1620219205.086:466056): proctitle=2F7573722F6C6F63616C2F62696E2F7363617068616E6472650070726F6D657468657573 type=AVC msg=audit(1620219215.063:466057): avc: denied { search } for pid=4193349 comm="actix-rt:worker" name="1760" dev="proc" ino=21084 scontext=system_u:system_r:container_t:s0:c118,c962 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1620219215.063:466057): arch=c000003e syscall=257 success=yes exit=20 a0=ffffff9c a1=7f215c1d0af0 a2=80000 a3=0 items=1 ppid=4193337 pid=4193349 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="actix-rt:worker" exe="/usr/local/bin/scaphandre" subj=system_u:system_r:container_t:s0:c118,c962 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PATH msg=audit(1620219215.063:466057): item=0 name="/proc/1760/status" inode=29092 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:systemd_logind_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" type=PROCTITLE msg=audit(1620219215.063:466057): proctitle=2F7573722F6C6F63616C2F62696E2F7363617068616E6472650070726F6D657468657573 type=AVC msg=audit(1620219215.081:466058): avc: denied { getattr } for pid=4193349 comm="actix-rt:worker" path="/proc/1760" dev="proc" ino=21084 scontext=system_u:system_r:container_t:s0:c118,c962 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1620219215.081:466058): arch=c000003e syscall=332 success=yes exit=0 a0=ffffffffffffff9c a1=7f215c0a5590 a2=0 a3=fff items=0 ppid=4193337 pid=4193349 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="actix-rt:worker" exe="/usr/local/bin/scaphandre" subj=system_u:system_r:container_t:s0:c118,c962 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

Environment

CentOS Linux release 8.3.2011
4.18.0-240.10.1.el8_3.x86_64

Additional context

I'm using scaphandre in OpenStack Victoria context.
@clopnis clopnis added the bug Something isn't working label May 5, 2021
@bpetit
Copy link
Contributor

bpetit commented May 9, 2021

Hi !

Thanks for reporting that. If we are lucky enough to have someone experienced with selinux we would love to have some help.

If not I may give it a try someday.

@bpetit bpetit added good first issue Good for newcomers help wanted Extra attention is needed labels May 9, 2021
@nmasse-itix
Copy link

Hello,

I played with scaphandre on my CentOS Stream server. Here are my findings:

  • when scaphandre is compiled from sources and installed manually, it runs as unconfined_service_t and can discover process consumption
  • when scaphandre is run in a container, it runs by default as container_t and cannot find details about the running processes.
  • however, it is possible to run it with podman run --privileged and then scaphandre runs as spc_t. It can find details about the running processes and their consumption.
  • it seems, from dwalsh that accessing the host pid namespace requires an unconfined domain.
  • My understanding is that /proc/*/cmdline (used to translate PIDs to command lines) has the SELinux label of the corresponding process and therefore creating a SELinux policy for scaphandre would imply granting access to the whole system (from kernel_t, to sshd_t, to syslogd_t, etc.)

@bpetit
Copy link
Contributor

bpetit commented May 18, 2021

Hi !

Thanks a lot for those insights. This will definitely be useful to work on the issue.

@uggla
Copy link
Collaborator

uggla commented May 21, 2021

@nmasse-itix thanks for the investigations ! It explains why as a Fedora user with SELinux enabled, I have not seen the issue.

@bpetit bpetit added this to the Release v0.5.0 milestone Sep 20, 2021
@jotak
Copy link
Contributor

jotak commented Nov 19, 2021
edited
Loading

also if you run scaphandre on openshift you may have to run it as privileged:

oc adm policy add-scc-to-user privileged -z scaphandre

(assuming there's a scaphandre service account, like the helm chart has: https://github.com/hubblo-org/scaphandre/blob/main/helm/scaphandre/templates/service-account.yaml )

Note, I haven't tested on baremetal so cannot say if this is sufficient

@bpetit bpetit modified the milestones: Release v0.5.0, Release v0.6.0 Jun 29, 2022
@bpetit
Copy link
Contributor

bpetit commented Jul 13, 2022

Hi ! Could someone tell me if I understand correctly the state here ? (it's been some time + I'm a noob in selinux)

I first understood we should write a selinux policy for scaphandre, but findings from @nmasse-itix seem to show that

  • the issue only happens if scaphandre is in a container (at least for podman)
  • this policy would be so permissive that it would be the same as running the container as privileged

Is that right ? If so, would adding the right procedure for running scaphandre in podman on centos/redhat in the documentation do the trick ?

@nmasse-itix
Copy link

Yes, I think so !

@bpetit bpetit added documentation Improvements or additions to documentation and removed bug Something isn't working labels Jul 13, 2022
@bpetit
Copy link
Contributor

bpetit commented Jul 13, 2022

Thanks ! I'll add attach the PR to this issue and ask you for a review

@bpetit bpetit modified the milestones: Release v0.6.0, Release v0.5.0 Jul 13, 2022
@bpetit bpetit linked a pull request Jul 13, 2022 that will close this issue
docs: adding explanation for podman+selinux #185
Merged
@bpetit
Copy link
Contributor

bpetit commented Jul 13, 2022

Would that work ? https://github.com/hubblo-org/scaphandre/pull/185/files

@bpetit
Copy link
Contributor

bpetit commented Jul 13, 2022

@clopnis does this make sense to you ?

@bpetit bpetit self-assigned this Jul 13, 2022
@bpetit bpetit closed this as completed Jul 13, 2022
@bpetit bpetit added this to General Jun 19, 2024
@bpetit bpetit moved this to Previous releases in General Jun 19, 2024
This was referenced Oct 17, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bpetit bpetit

Labels
documentation Improvements or additions to documentation good first issue Good for newcomers help wanted Extra attention is needed
Projects
General
Status: Previous releases
Milestone
Release v0.5.0
Development

Successfully merging a pull request may close this issue.

docs: adding explanation for podman+selinux hubblo-org/scaphandre
5 participants
@bpetit @jotak @uggla @nmasse-itix @clopnis