1594485 – SELinux denial in docker-registry pod where /etc/pki is mounted

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1594485 - SELinux denial in docker-registry pod where /etc/pki is mounted

Summary: SELinux denial in docker-registry pod where /etc/pki is mounted

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-23 15:51 UTC by Nicholas Schuetz
Modified:	2020-06-03 14:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-06-03 14:46:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit log (3.18 KB, text/plain) 2018-06-25 18:02 UTC, Nicholas Schuetz	no flags	Details
View All

Description Nicholas Schuetz 2018-06-23 15:51:16 UTC

So i have a need for Openshift to use a self-signed cert for my internal docker registry.  During install, i modify my apiserver.yaml to include the volumeMount/hostPath for /etc/pki.  That works, although it's a hack.

For the next step, i have to add a similar config to the docker-registry pod (post-deployment).  To do that, i do this:

oc patch dc docker-registry -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","volumeMounts":[{"mountPath":"/etc/pki","name":"certs"}]}],"volumes":[{"hostPath":{"path":"/etc/pki","type":"Directory"},"name":"certs"}]}}}}'

and then adjust the scc to allow the hostPath:

oc adm policy add-scc-to-user hostaccess -z registry -n default

But that still doesnt work.  I have to 'setenforce 0' on all infra nodes to get this to work.  Obviously, SELinux is preventing me from mounting my pki directory in the docker-registry pod.  Note that i cannot pull-through the internal registry without doing this.

atomic-openshift-3.10.6-1

-Nick

Comment 1 Ben Parees 2018-06-23 15:58:16 UTC

you could also provide the /etc/pki/tls/cert.pem file(assuming it contains all your trusted CAs) via a configmap mount which would not require these permissions.

But I'm going to send this bug to the pod team for starters to see if they can offer guidance on why the selinux is preventing access to the mounted hostpath.

Comment 2 Nicholas Schuetz 2018-06-23 15:59:39 UTC

related:  https://bugzilla.redhat.com/show_bug.cgi?id=1592936

Comment 3 Nicholas Schuetz 2018-06-23 16:45:36 UTC

i was able to fix this by adjusting the context in /etc/pki on all my infra nodes.

chcon -R --type=container_t /etc/pki

Comment 4 Seth Jennings 2018-06-25 15:48:00 UTC

Relabeling /etc/pki on the host to be container accessible is not advised for security reasons.  A bad container could write to /etc/pki on the host and get the host trust bad certs.

Thus selinux is behaving as expected blocking container access to /etc/pki on the host.

I would recommend doing what Ben recommends and mounting your CAs in from a secret, not hostPathing them from the node.  Openshift has fairly (effectively) limited support for hostPath as many parts of the host filesystem are inaccessible to containers because of selinux.

For the docker-registry, this works.  However, you do have the issue of the apiserver static pods not being able to access secrets without the apiserver already being up, so mounting them in with a secret is chicken-egg problematic.

I am not experienced enough about the recommended config for using an external CA (in this cases, self-signed) in the cluster.

Back to Image Registry for additional guidance on how this could be done in 3.10.

Comment 5 Ben Parees 2018-06-25 16:18:26 UTC

> Thus selinux is behaving as expected blocking container access to /etc/pki on the host.

shouldn't selinux at least allow the read?  (I don't think a write is being attempted).

Comment 6 Seth Jennings 2018-06-25 16:58:07 UTC

What changed about v3.10 that introduced this? The apiserver being in a pod?

Was this pattern of installing custom certs in /etc/pki used in 3.9 since the apiserver ran as a host process (not in a container)?

If so, we should allow reads on cert_t from container_t and this bug should go to RHEL product container-selinux component.

Comment 7 Nicholas Schuetz 2018-06-25 17:03:34 UTC

Yes.  Also, the docker-registry pod(s) need access because the images are now "pulled-through" the internal registry.

Comment 8 Ben Parees 2018-06-25 17:27:40 UTC

The specific issue Nicholas ran into is that the imagestreams in 3.10 leverage pullthrough (in 3.9 they did not).  Pullthrough means now the internal registry is responsible for pulling the images from the external registry, instead of the host's docker daemon doing it.

That means the internal docker registry needs to be able to trust the external registry, which means including potentially self-signed certs in the docker-registry pod.  This was an issue that periodically came up before 3.10, but now that our out of box examples are using pullthrough it's a bit more likely for users to hit it (even so most users won't hit it because the imagestreams reference a trusted registry..but Nicholas has modified them to reference an untrusted registry).


The apiserver being in a pod is presenting similar problems, but it's worth noting that Nicholas did not hit any selinux problems when mounting host certs into the apiserver pod.  Only when mounting them into the docker-registry pod.

Anyway regardless of why it's coming up now and whether or not the configmap/secret mount approach is better than a hostmount, it still seems like the reads should be allowed.  And i'd like to understand why the apiserver pod is not having problems while the docker-registry pod is.  Is it related to SCCs?

Comment 9 Seth Jennings 2018-06-25 17:56:04 UTC

It is because the apiserver pod runs as a SPC (super privileged container, type spc_t) which has read access to most everything on the host.

# ps -feZ | grep "openshift start master"
system_u:system_r:spc_t:s0      root      93131  93115  4 17:35 ?        00:00:53 openshift start master api --config=/etc/origin/master/master-config.yaml --loglevel=2
system_u:system_r:spc_t:s0      root      93355  93340  5 17:35 ?        00:01:03 openshift start master controllers --config=/etc/origin/master/master-config.yaml --listen=https://0.0.0.0:8444 --loglevel=2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 100528 97636  0 17:55 pts/0 00:00:00 grep --color=auto openshift start master

from apiserver.yaml:

    securityContext:
      privileged: true

Comment 10 Nicholas Schuetz 2018-06-25 18:02:53 UTC

Created attachment 1454446 [details]
audit log

Comment 11 Ben Parees 2018-06-25 18:29:36 UTC

Ok, i'm going to send this to container-selinux per comment 6, in that I believe /etc/pki should always be readable (but not necessarily writable) w/o special privileges.  Thanks Seth!

Meanwhile we'll continue to work on improving the experience around providing certs to the docker-registry pod w/o using hostmounts so users can avoid this problem entirely (step 1 for that is to document how to use a configmap or secret instead).

Comment 14 Daniel Walsh 2020-06-03 14:46:55 UTC

Since RHEL7 is no longer supported, I am going to close this as WONTFIX.
The way to probably handle this is with custom policy using udica.

Note You need to log in before you can comment on or make changes to this bug.