Bug 1272413 - Permission denied when write to the dir for gce pd volume even selinux is permissive
Permission denied when write to the dir for gce pd volume even selinux is per...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Storage (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Sami Wagiaalla
Liang Xia
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-16 06:56 EDT by Liang Xia
Modified: 2016-06-07 18:46 EDT (History)
5 users (show)

See Also:
Fixed In Version: atomic-openshift-3.0.2.905-0.git.0.85d6f88.el7aos
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 16:13:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Liang Xia 2015-10-16 06:56:27 EDT
Description of problem:
Permission denied when write to the dir for gce pd volume mounted even selinux is permissive

Version-Release number of selected component (if applicable):
openshift v1.0.6-644-ga034e2f
kubernetes v1.1.0-alpha.1-653-g86b4e77

How reproducible:
always

Steps to Reproduce:
1. Set the selinux to permissive
setenforce 0

2. Create PV, PVC, pod.
oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/persistent-volumes/gce/pv-retain-rwx.json
oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/persistent-volumes/gce/claim-rwx.json
oc get pv
oc create -f pod.json
{
    "apiVersion": "v1",
    "kind": "Pod",
    "metadata": {
        "name": "gce1",
        "labels": {
            "name": "frontendhttp"
        }
    },
    "spec": {
        "containers": [{
            "name": "myfrontend",
            "image": "jhou/hello-openshift",
            "imagePullPolicy": "IfNotPresent",
            "securityContext": {
              "capabilities": {},
              "privileged": true
            },
            "ports": [{
                "containerPort": 80,
                "name": "http-server"
            }],
            "volumeMounts": [{
                "mountPath": "/mnt/gce",
                "name": "pvol"
            }]
        }],
        "volumes": [{
            "name": "pvol",
            "persistentVolumeClaim": {
                "claimName": "gcec"
            }
        }]
    }
}

oc get pods
NAME      READY     STATUS    RESTARTS   AGE
gce1      1/1       Running   0          21m


3. Write to the persistent disk.
oc exec gce1 -it -- bash 
bash-4.2$ touch /mnt/gce/file1
touch: cannot touch '/mnt/gce/file1': Permission denied
bash-4.2$ ls -ld /mnt/gce/     
drwxr-xr-x. 2 root root 4096 Oct 16 08:38 /mnt/gce/


Actual results:
Failed to create the file, permission denied.

Expected results:
Be able to create the file.

Additional info:
ls -Zd /root/openshift/openshift.local.volumes/pods/df11fceb-73ee-11e5-a8af-42010af00004/volumes/kubernetes.io~gce-pd/gce
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 /root/openshift/openshift.local.volumes/pods/df11fceb-73ee-11e5-a8af-42010af00004/volumes/kubernetes.io~gce-pd/gce
Comment 2 Jan Safranek 2015-10-19 08:25:55 EDT
I can reproduce the bug, but only with SELinux in Enforcing mode. In permissive mode, my pod can write to a GCE PD, using even your .json files (only with different pdName in pv-retain-rwx.json).


The reason is that Kubernetes/OpenShift creates a new filesystem there with unlabeled_t and Docker containers are not allowed to write there.

Can you please confirm it's caused by SELinux? Your "setenforce 0" in step 1. implies otherwise and  I cannot reproduce the bug then.
Comment 5 Sami Wagiaalla 2015-10-22 11:16:18 EDT
> /root/openshift/openshift.local.volumes/pods/df11fceb-73ee-11e5-a8af-
> 42010af00004/volumes/kubernetes.io~gce-pd/gce
> drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0

https://github.com/kubernetes/kubernetes/pull/15323 should solve the labeling problem, but your pod will have to specify an SELinux label in SecurityContext.SELinuxOptions.Level
Comment 7 Sami Wagiaalla 2015-10-29 09:36:42 EDT
upstream PR merged.

This PR will bring the fix to origin: https://github.com/openshift/origin/pull/5169

Please test with the above branch or wait for it to get merged to verify.
Comment 9 Liang Xia 2015-11-02 03:38:26 EST
Verified user can read/write in the pod when SELinux is enforcing.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

# oc exec gce -it -- bash
bash-4.2$ ls /mnt/gce/
file1
bash-4.2$ touch /mnt/gce/file2
bash-4.2$ ls /mnt/gce/        
file1  file2

# openshift version
openshift v1.0.7-109-g3cf7f3c
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
etcd 2.1.2

Move bug to verified.

Note You need to log in before you can comment on or make changes to this bug.