Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] restorecon seems to relabel files unnecessarily under /var/lib/kubelet/pods/<id>/volumes/kubernetes.io~projected/ and secret #4428

Open
maage opened this issue Jan 18, 2025 · 0 comments · May be fixed by #4429
Open

[BUG] restorecon seems to relabel files unnecessarily under /var/lib/kubelet/pods/<id>/volumes/kubernetes.io~projected/ and secret #4428

maage opened this issue Jan 18, 2025 · 0 comments · May be fixed by #4429

Comments

@maage
Copy link

maage commented Jan 18, 2025
edited
Loading

What happened?

I ran restorecon -nvR /var and notices it would have modified fcontext of some kube files that I think have reasonable fcontexts and that new fcontexts would not be as reasonable.

What did you expect to happen?

Restorecon should not relabel any files if there is no misconfiguration.

How to reproduce it (as minimally and precisely as possible)?

  1. build microshift in Fedora 41
  2. install microshift in Fedora 41
  3. start microshift
  4. run sudo restorecon -nvR -e /var/lib/mock -e /var/cache/mock /var | tee restorecon.txt

Anything else we need to know?

I think this should be tested. Start microshift. Run restorecon against any of the files where microshift data is, and there should note be any changes. This seems to be too limited,

microshift/test/resources/selinux.py

Lines 15 to 32 in cf7ae1b

CONTEXT_CHECK_MAP = {
"system_u:object_r:container_var_lib_t:s0": [
"/var/lib/microshift",
"/var/lib/microshift-backups",
],
"system_u:object_r:container_log_t:s0": [
"/var/log/kube-apiserver",
],
"system_u:object_r:kubelet_exec_t:s0": [
"/usr/bin/microshift",
"/usr/bin/microshift-etcd",
],
"system_u:object_r:kubernetes_file_t:s0": [
"/etc/microshift",
"/etc/microshift/manifests",
"/etc/microshift/manifests.d",
],
}

  • /var/lib/kubelet
  • /var/lib/crio
  • /var/lib/openvswitch
  • /var/lib/cni
  • /var/log/pods
  • /var/log/ovn-kubernetes
  • /var/log/openvswitch
  • /var/log/crio
  • /var/log/ovn

And this should employ restorecon, as 'ls -Zd` does not catch issues deep in directory structure.

microshift/test/resources/selinux.py

Lines 240 to 251 in cf7ae1b

def run_fcontext_check() -> List[str]:
ls_cmd = "ls -Zd"
incorrect_fcontext = []
for context, file_paths in CONTEXT_CHECK_MAP.items():
for file_path in file_paths:
stdout, rc = remote_sudo_rc(f"{ls_cmd} {file_path} | awk '{{print $1 }}'")
BuiltIn().should_not_be_empty(stdout)
BuiltIn().should_be_equal_as_integers(rc, 0)
if context_do_not_match(stdout, context):
incorrect_fcontext.append(f"expected {file_path} to have context of ({context}) but got ({stdout})")
return incorrect_fcontext

Environment

  • MicroShift version (use microshift version):

MicroShift Version: 4.18.0
Base OCP Version: 4.18.0-0.nightly-2025-01-09-012852

  • Hardware configuration:
  • OS (e.g: cat /etc/os-release):

NAME="Fedora Linux"
VERSION="41 (Workstation Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=41
VERSION_CODENAME=""
PLATFORM_ID="platform:f41"
PRETTY_NAME="Fedora Linux 41 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:41"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f41/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=41
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=41
SUPPORT_END=2025-12-15
VARIANT="Workstation Edition"
VARIANT_ID=workstation

  • Kernel (e.g. uname -a):

Linux test 6.12.8-200.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jan 2 19:26:03 UTC 2025 x86_64 GNU/Linux

  • Others:

container-selinux-2.234.2-1.fc41.noarch
selinux-policy-targeted-0:41.28-1.fc41.noarch

Relevant logs

Would relabel /var/lib/kubelet/pods/4f9ad0d6-9a40-44b9-af85-a62af7e9ebe1/volumes/kubernetes.io~projected/kube-api-access-285xq from system_u:object_r:tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
Would relabel /var/lib/kubelet/pods/4f9ad0d6-9a40-44b9-af85-a62af7e9ebe1/volumes/kubernetes.io~projected/kube-api-access-285xq/..data from system_u:object_r:container_runtime_tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
...
Would relabel /var/lib/kubelet/pods/0802e07b-5854-4c18-ac85-4c9d579a7646/volumes/kubernetes.io~secret/metrics-cert from system_u:object_r:tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
Would relabel /var/lib/kubelet/pods/0802e07b-5854-4c18-ac85-4c9d579a7646/volumes/kubernetes.io~secret/metrics-cert/..2025_01_18_13_42_34.2656841619 from system_u:object_r:container_runtime_tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
...
@maage maage linked a pull request Jan 18, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: match fcontext of microshift temp volumes maage/microshift
1 participant
@maage