kubernetes: `flannel` init container is crashing

[tormath1]

Description

we recently upgraded SELinux libs and we added some tests to validate various CNI in Kubernetes environment - an issue has been discovered while running kubeadm.v1.21.flannel tests.

Flannel init container is not able to run and it crashed with the following message:

core@localhost ~ $ docker logs 6a774c560ff1
cp: can't create '/etc/cni/net.d/10-flannel.conflist': Permission denied

SELinux is set in enforce mode during the tests and by checking the audit logs; we have the following:

[  201.090219] audit: type=1400 audit(1628602162.447:213): avc:  denied  { write } for  pid=4361 comm="cp" name="net.d" dev="vda9" ino=224 scontext=system_u:system_r:svirt_lxc_net_t:s0:c50,c336 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0

Impact

User running flannel CNI in Kubernetes cluster using Flatcar with SELinux enabled might experience some issues.

Environment and steps to reproduce

1. Run kola kubeadm.v1.21.0.flannel.base test with this branch: tormath1/kubernetes-1-22

Additional information

1. It has not been caught before in the CI because there is a programming error in the kola codebase:

diff --git a/kola/tests/kubeadm/kubeadm.go b/kola/tests/kubeadm/kubeadm.go
index 44b47387..5b81da19 100644
--- a/kola/tests/kubeadm/kubeadm.go
+++ b/kola/tests/kubeadm/kubeadm.go
@@ -76,12 +76,13 @@ systemd:

 func init() {
        for _, CNI := range CNIs {
+               cni := CNI
                register.Register(&register.Test{
-                       Name:             fmt.Sprintf("kubeadm.%s.base", CNI),
+                       Name:             fmt.Sprintf("kubeadm.%s.base", cni),
                        Distros:          []string{"cl"},
                        ExcludePlatforms: []string{"esx"},
                        Run: func(c cluster.TestCluster) {
-                               kubeadmBaseTest(c, CNI)
+                               kubeadmBaseTest(c, cni)
                        },
                })
        }

2. I'm currently testing with the following patch:

--- a/sec-policy/selinux-virt/files/virt.patch
+++ b/sec-policy/selinux-virt/files/virt.patch
@@ -36,4 +36,4 @@ index 256ea58..f72fbba 100644
 +allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
 +allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
 +allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
-+
++allow svirt_lxc_net_t etc_t:dir { write };

[pothos]

Instead of allowing all containers to write to /etc/, would it work to only add the /etc/cni/ directory like done in https://github.com/containers/container-selinux/blob/main/container.fc#L46 for /etc/crio/?

[tormath1]

@pothos for sure, I'll give a try - it's still good to stay specific in SELinux rules... The repo you linked is super interesting - what about including the following policies to the OS ?

[pothos]

Yes, we should align the SELinux policies with those from Fedora CoreOS

[tormath1]

@pothos I did some tests with the following patch:

index 5266b68c1..8edeb3dcb 100644
--- services/virt.fc
+++ services/virt.fc
@@ -65,3 +65,6 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
 /run/user/[^/]*/libguestfs(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 /run/vdsm(/.*)?	gen_context(system_u:object_r:virt_runtime_t,s0)
 /run/virtlockd\.pid	--	gen_context(system_u:object_r:virtlockd_run_t,s0)
+
+# flatcar changes
+/etc/cni(/.*)?         gen_context(system_u:object_r:svirt_lxc_file_t,s0)

to have the suggested approach.

It does not solve totally the issue - /etc/cni will be labelled as its parent directory so etc_t type:

core@localhost ~ $ sudo mkdir /etc/cni
core@localhost ~ $ ls -alZ /etc/cni/
total 16
drwxr-xr-x.  2 root root system_u:object_r:etc_t:s0 4096 Aug 11 10:43 .
drwxr-xr-x. 48 root root system_u:object_r:etc_t:s0 4096 Aug 11 10:43 ..
core@localhost ~ $ selabel_lookup -b file -r -k /etc/cni/
Default context: system_u:object_r:svirt_lxc_file_t:s0

so a restorecon is required to have the correct labelling...

$ docker run --rm -ti -v "/etc/cni/:/opt" alpine sh -c "echo test > /opt/test"
sh: can't create /opt/test: Permission denied
$ sudo restorecon -rv /etc/cni/
Relabeled /etc/cni from system_u:object_r:etc_t:s0 to system_u:object_r:svirt_lxc_file_t:s0
$ docker run --rm -ti -v "/etc/cni/:/opt" alpine sh -c "echo test > /opt/test"
$ cat /etc/cni/test
test

we have a similar test case in mantle - but it adds the :z option to allow docker to relabel the files correctly (see: https://github.com/kinvolk/mantle/blob/flatcar-master/kola/tests/docker/docker.go#L642)

[pothos]

I don't know where the correct labeling of /etc/ files should take place – maybe we can create the directory with systemd-tmpfiles in https://github.com/kinvolk/baselayout/blob/flatcar-master/tmpfiles.d/baselayout-etc.conf and then add a restorecon call after the systemd-tmpfiles service ran?

[pothos]

https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html#z has something about relabling but there is also the option to set the extended file attribute directly: https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html#t

[tormath1]

@pothos thanks for systemd links - they can be helpful but the issue is more on the fact that /etc/cni does not exist initially so when it's created it inherits from /etc file context (etc_t). Also we can't afford to relabel all /etc with svirt_lxc_file_t.

[pothos]

Yes, so I suggest that we ship a tmpfiles rule to create /etc/cni with the right label or align the label for an existing directory.
As far as I understand, we can try to use a Z entry but may have to use a T entry (Using both doesn't work, at least I remember it like that).

[tormath1]

I'm thinking - we could also change the flannel manifest to use directly the /opt/cni directory. Like we are already doing for others: https://github.com/kinvolk/mantle/blob/1bf480818d61855b31ad5fda887e70a3dd8f344d/kola/tests/kubeadm/templates.go#L103-L118

EDIT: nope, because it will hit the same issue except that it will be for usr_t target.

EDIT: I found this macro: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sec-file-name-transition it seems to address exactly the issue - let's give a try.

[tormath1]

alright it worked with the macro. There is another issue now:

Aug 11 16:19:38.408233 kernel: audit: type=1400 audit(1628691578.394:214): avc:  denied  { module_request } for  pid=4625 comm="flanneld" kmod="rtnl-link-vxlan" scontext=system_u:system_r:svirt_lxc_net_t:s0:c556,c665 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

I'm trying to add the following rule to virt.te:

+allow svirt_lxc_net_t kernel_t:system { module_request };