Bug 1991443
Summary: | [RHEL 8.4] Backport container-selinux policy to allow spc_t domains to set bpf rules on any domain | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Itamar Holder <iholder> | |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 8.4 | CC: | acardace, fdeutsch, lvrabec, mmalik, mtessun, plautrba, qe-baseos-security, sgott, ssekidde, zpytela | |
Target Milestone: | beta | Keywords: | AutoVerified, Triaged, ZStream | |
Target Release: | 8.6 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.14.3-81.el8 | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
The policy does not allow super privileged containers set bpf rules on other domains.
Consequence:
Kubernetes does not fully operate with cgroups v2.
Fix:
The rule to allow the unconfined_domain_type attribute to set bpf rules on other domains was added to the policy.
Result:
Kubernetes operate fully with cgroups v2.
|
Story Points: | --- | |
Clone Of: | 1961728 | |||
: | 2011878 2015845 2015846 (view as bug list) | Environment: | ||
Last Closed: | 2022-05-10 15:15:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1961728, 1965985 | |||
Bug Blocks: | 2011878, 2015845, 2015846 |
Description
Itamar Holder
2021-08-09 07:29:15 UTC
Seems this is the commit to backport: commit 74e737596525407e600f63c0ba4f4df65d5766cd Author: Daniel J Walsh <dwalsh> Date: Fri Jul 16 06:32:34 2021 -0400 Allow unconfined domains to bpf all other domains Signed-off-by: Daniel J Walsh <dwalsh> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 3bea1857f..fb3259a13 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -255,7 +255,7 @@ optional_policy(` # be used on an attribute. # Use bpf tools -allow unconfined_domain_type self:bpf { map_create map_read map_write prog_load prog_run }; +allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run }; allow unconfined_domain_type self:lnk_file setattr; Do you want this bz target RHEL 8.5? The commit is the only commit within this PR: https://github.com/containers/container-selinux/pull/138 Meaning commit 4c51e97504d2f458eb3d14a776c9c859908b45b4: "Allow spc_t domains to set bpf rules on any domain". Regarding RHEL version, maybe acardace or sgott can help answer? Zdenek, it would be ideal if this could be backported to 8.4 actually. (In reply to sgott from comment #3) > Zdenek, it would be ideal if this could be backported to 8.4 actually. I am afraid the current target will now be RHEL 8.6. If you need a z-stream backport to an earlier RHEL release, feel free to request it. Thanks Zdenek, would this BZ be that request? I don't see that it has been assigned a target version yet. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |