Kube Flannel (> 0.14.1) does not start in SELinux enforcing mode #635
Description
Description
In latest CNI plugins versions (from 1.0.0), Flannel plugin has been removed. Starting from Kube Flannel version 0.15.0, plugin installation is defined in the manifest:
- name: install-cni-plugin
image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.2
command:
- cp
args:
- -f
- /flannel
- /opt/cni/bin/flannel
volumeMounts:
- name: cni-plugin
mountPath: /opt/cni/binThe path being mounted is /opt/cni/bin with the following label on the host machine:
$ ls -aliZ /opt/cni/
total 24
198 drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 .
94 drwxr-xr-x. 6 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 ..
199 drwxrwxr-x. 2 root root system_u:object_r:usr_t:s0 4096 Sep 7 19:49 binWhich leads to the following SELinux error and prevents Flannel to start correctly in enforcing mode:
Feb 21 13:37:14.710000 audit[3217]: AVC avc: denied { write } for pid=3217 comm="cp" name="bin" dev="sda9" ino=198 scontext=system_u:system_r:svirt_lxc_net_t:s0:c229,c794 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
In the waiting of #479, we can patch the current selinux-virt as we already done for Flannel in this commit: flatcar-archive/coreos-overlay@56d2acd to provide /opt/cni(/.*)? a correct context.
This patch could be eventually upstreamed to https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/services/container.fc as soon as we integrated and tested this new policy.
Additional information
We can currently mitigate this issue by running a chcon command on the folder (see also: flatcar/mantle#297):
/usr/bin/chcon -R /opt/cni -t svirt_lxc_file_t
To reproduce
Run kubeadm.v1.23.4.flannel.base on any cloud provider; to assert the issue is fixed: revert the commit where chcon is added and re-run the test.
NOTE: This commit can be reverted once done: flatcar-archive/flatcar-docs@f77a06f