Relabelling is needed for /run/.containerenv #5483
Description
Description
Since recent #5463 PR added the /run/.containerenv file, creation of sandboxed PODs with kata containers systematically fails when SELinux is enabled on the host.
Steps to reproduce the issue:
- Install kata-containers on a SELinux enabled host
- Start a POD with kata
Describe the results you received:
Error: CreateContainer failed: Permission denied (os error 13): unknown
Describe the results you expected:
The POD starts.
Additional information you deem important (e.g. issue happens only occasionally):
An associated AVC pops up in the host's audit.log:
type=AVC msg=audit(1638366833.647:384): avc: denied { getattr } for pid=47669 comm="pool" path="/e7d12344ab2101c7a3b3bc9b231b6ef08943773735cc7f0af947bcb1978849c5-806c6094a1ccc6c5-.containerenv" dev="vda4" ino=8849605 scontext=system_u:system_r:container_kvm_t:s0:c318,c820 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1638366833.647:384): arch=c000003e syscall=262 success=no exit=-13 a0=26 a1=562f154f0cbc a2=7fdf99cec9b0 a3=1100 items=0 ppid=47656 pid=47669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/virtiofsd" subj=system_u:system_r:container_kvm_t:s0:c318,c820 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1638366833.647:384): proctitle=2F7573722F6C6962657865632F76697274696F667364002D2D7379736C6F67002D6F0063616368653D6175746F002D6F006E6F5F706F7369785F6C6F636B002D6F00736F757263653D2F72756E2F6B6174612D636F6E7461696E6572732F7368617265642F73616E64626F7865732F3366613565333063663737383830346433
The /e7d12344ab2101c7a3b3bc9b231b6ef08943773735cc7f0af947bcb1978849c5-806c6094a1ccc6c5-.containerenv file has label container_var_lib_t instead of the expected container_file_t.
Code inspection seems to indicate that the re-labelling that is performed for other files is missing in #5463:
if sb.ResolvPath() != "" {
if err := securityLabel(sb.ResolvPath(), mountLabel, false, false); err != nil {
return nil, err
}
ctr.SpecAddMount(rspec.Mount{
Destination: "/etc/resolv.conf",
Type: "bind",
Source: sb.ResolvPath(),
Options: append(options, []string{"bind", "nodev", "nosuid", "noexec"}...),
})
}
if sb.HostnamePath() != "" {
if err := securityLabel(sb.HostnamePath(), mountLabel, false, false); err != nil {
return nil, err
}
ctr.SpecAddMount(rspec.Mount{
Destination: "/etc/hostname",
Type: "bind",
Source: sb.HostnamePath(),
Options: append(options, "bind"),
})
}
if sb.ContainerEnvPath() != "" {
====> Should securityLabel() be called here as well ?
ctr.SpecAddMount(rspec.Mount{
Destination: "/run/.containerenv",
Type: "bind",
Source: sb.ContainerEnvPath(),
Options: append(options, "bind"),
})
}
Output of crio --version:
crio version 1.23.0-2.rhaos4.10.git7048f24.el8
Version: 1.23.0-2.rhaos4.10.git7048f24.el8
GoVersion: go1.17.2
Compiler: gc
Platform: linux/amd64
Linkmode: dynamic
BuildTags: exclude_graphdriver_devicemapper, containers_image_ostree_stub, seccomp, selinux
SeccompEnabled: true
AppArmorEnabled: false
Additional environment details (AWS, VirtualBox, physical, etc.):
Red Hat OpenShift Container Platform