1957840 – kubelet service fail to load EnvironmentFile due to SELinux denial

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1957840 - kubelet service fail to load EnvironmentFile due to SELinux denial

Summary: kubelet service fail to load EnvironmentFile due to SELinux denial

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	Edward Shen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	mint 1960769
TreeView+	depends on / blocked

Reported:	2021-05-06 15:22 UTC by Juan Manuel Parrilla Madrid
Modified:	2023-09-15 01:06 UTC (History)
CC List:	24 users (show)
Fixed In Version:	container-selinux-2.165.1-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1960769 1969998 (view as bug list)
Environment:
Last Closed:	2021-11-09 17:37:47 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
semodule -l full (14.42 KB, text/plain) 2021-05-10 16:13 UTC, Micah Abbott	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4154	0	None	None	None	2021-11-09 17:38:28 UTC

Description Juan Manuel Parrilla Madrid 2021-05-06 15:22:53 UTC

Description of problem:

When Systemd tries to read the Env File defined in the Kubelet systemd service SElinux denies that access (this happens on the bootkube stage).

Systemd Unit:

# /etc/systemd/system/kubelet.service

....
....
....
ExecStartPre=/bin/mkdir --parents /etc/kubernetes/manifests
ExecStartPre=/bin/mkdir --parents /etc/kubernetes/kubelet-plugins/volume/exec
ExecStartPre=/usr/local/bin/kubelet-pause-image.sh
Environment=KUBELET_RUNTIME_REQUEST_TIMEOUT=10m
EnvironmentFile=-/etc/kubernetes/kubelet-env
EnvironmentFile=-/etc/kubernetes/kubelet-pause-image-override
....
....


Environment file context:
-rw-r--r--. 1 root root system_u:object_r:kubernetes_file_t:s0 147 May  6 14:32 /etc/kubernetes/kubelet-pause-image-override

AVC Message:
[root@openshift-master-1 core]# grep avc /var/log/audit/audit.log | tail -1 - |audit2why
type=AVC msg=audit(1620311565.546:147): avc:  denied  { read } for  pid=1 comm="systemd" name="kubelet-pause-image-override" dev="loop0" ino=34417753 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kubernetes_file_t:s0 tclass=file permissive=0

  Was caused by:
      Missing type enforcement (TE) allow rule.

      You can use audit2allow to generate a loadable module to allow this access.


Version-Release number of selected component (if applicable):

4.8.0-0.nightly-2021-04-25-195440

How reproducible:

Always

Steps to Reproduce:
1. Create an env file under /etc/kubernetes
2. Make Kubelet service read that env file 
3. Daemon-Reload and Restart the Kubelet service
4. Review the AVC on the audit log

Actual results:
SElinux blocks systemd to read the file

Expected results:
Read the file and load the env vars

Additional info:

Comment 1 Eran Cohen 2021-05-06 15:47:27 UTC

Note that crio requires the same configuration but gets it using another script that preforms`sed --in-place` on the crio.conf

Comment 2 Micah Abbott 2021-05-06 16:03:19 UTC

```
sh-4.4# audit2allow  -a


#============= init_t ==============
allow init_t kubernetes_file_t:file read;
```

@dwalsh Do you think this should be allowed by default?

Comment 3 Eran Cohen 2021-05-06 17:58:57 UTC

When installing with openshift-installer (kubelet can read the file) this is the selinux context:
ls -lahZ /etc/kubernetes/kubelet-pause-image-override
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 146 May  6 17:51 /etc/kubernetes/kubelet-pause-image-override

When installing with assisted-installer:
[root@openshift-master-1 core]# ls -lahZ /etc/kubernetes/kubelet-pause-image-override
-rw-r--r--. 1 root root system_u:object_r:kubernetes_file_t:s0 147 May  6 13:38 /etc/kubernetes/kubelet-pause-image-override 

This is with the same OCP release image (quay.io/openshift-release-dev/ocp-release:4.8.0-fc.0-x86_64)

Comment 4 Colin Walters 2021-05-06 18:06:22 UTC

I think this should be allowed by default in policy.

But there's an easy workaround: just store the environment override outside of `/etc/kubernetes`, say in `/etc/kubelet.env` or something that will be `etc_t`.  Since kubelet itself isn't reading this file, it doesn't need to be in `/etc/kubernetes`.

Comment 5 Igal Tsoiref 2021-05-09 17:44:16 UTC

Started sno installation with assisted-service.
changed Env params in service to:
EnvironmentFile=/etc/kubernetes/kubelet-env
EnvironmentFile=/etc/kubernetes/kubelet-pause-image-override

reloaded daemon and restarted kubelet. Kubelet started as expected and i don't see any errors.

Verified context of env file :
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 146 May  9 14:34 /etc/kubernetes/kubelet-pause-image-override

Comment 6 Eran Cohen 2021-05-10 07:33:09 UTC

Seems to be related to this: https://bugzilla.redhat.com/show_bug.cgi?id=1904693

Comment 7 Harshal Patil 2021-05-10 09:12:34 UTC

In my testing on the bootstrap node I made env file /etc/kubernetes/kubelet-pause-image-override mandatory in kubelet service by removing '-'

EnvironmentFile=/etc/kubernetes/kubelet-pause-image-override

If you try to restart the kubelet service after that, it fails because of the reported issue. 

The original SELinux label on the /etc/kubernetes/kubelet-pause-image-override on the bootstrap node was, 

-rw-r--r--. 1 root root system_u:object_r:kubernetes_file_t:s0 147 May 10 08:12 /etc/kubernetes/kubelet-pause-image-override

But when I changed the labels to system_u:object_r:container_file_t:s0 the kubelet service restart successfully. 



I am not sure why the installer is setting those labels incorrectly. Moving this back to RHCOS, should this be sent to the installer team?

Comment 8 Steven Hardy 2021-05-10 10:22:15 UTC

As a data point I see the same with rhcos-48.84.202104271417-0-qemu.x86_64.qcow2.gz

[core@localhost ~]$ ls -lahZ /etc/kubernetes/kubelet-pause-image-override
-rw-r--r--. 1 root root system_u:object_r:kubernetes_file_t:s0 146 May 10 10:15 /etc/kubernetes/kubelet-pause-image-override

Doing a restorecon switches back to container_file_t, so it may be a label issue in the image?

[core@localhost ~]$ sudo restorecon -R /etc
[core@localhost ~]$ ls -lahZ /etc/kubernetes/kubelet-pause-image-override
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 146 May 10 10:15 /etc/kubernetes/kubelet-pause-image-override

I did not see this with rhcos-48.83.202103221318-0-qemu.x86_64.qcow2.gz

Comment 9 Steven Hardy 2021-05-10 10:45:05 UTC

Another note, the file is created by this installer script https://github.com/openshift/installer/blob/master/data/data/bootstrap/files/usr/local/bin/kubelet-pause-image.sh.template#L13

However I couldn't reproduce the mis-labled file by re-running that script, so I'm unclear why the file initially has the kubernetes_file_t label.

Comment 10 Juan Manuel Parrilla Madrid 2021-05-10 10:55:02 UTC

Ok, testing with the rhcos-4.8.0-fc.3-x86_64-live.x86_64 ISO, it happens in the same way, but with a 4.7 does not happen. this is the policy oer the /etc/kubernetes folder:

[root@openshift-master-1 core]# ls -alhZ /etc | grep kubernetes
drwxr-xr-x.  8 root        root        system_u:object_r:kubernetes_file_t:s0          191 May 10 10:36 kubernetes


So that explains that the placed files over/etc/kubernetes has this context.

Comment 12 Micah Abbott 2021-05-10 13:41:10 UTC

Summary:

- Running the OCP Assistend Installer on an RHCOS node based on RHEL 8.3 creates a file `/etc/kubernetes/kubelet-pause-image-override` labeled `system_u:object_r:container_file_t:s0`
- Running the OCP Assistend Installer on an RHCOS node based on RHEL 8.4 creates the same file with the label `system_u:object_r:kubernetes_file_t:s0`
- When the `/etc/kubernetes/kubelet-pause-image-override` file is labeled `system_u:object_r:kubernetes_file_t:s0`, the `kubelet` cannot access the file with an SELinux denial:

type=AVC msg=audit(1620311565.546:147): avc:  denied  { read } for  pid=1 comm="systemd" name="kubelet-pause-image-override" dev="loop0" ino=34417753 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kubernetes_file_t:s0 tclass=file permissive=0

- `audit2allow` provides the following rule:


```
sh-4.4# audit2allow  -a


#============= init_t ==============
allow init_t kubernetes_file_t:file read;
```

- We think this transition should be allowed, so we are re-routing the BZ to the SELinux team for additional triage.

Comment 16 Milos Malik 2021-05-10 14:56:50 UTC

Please provide a list of policy modules which are active on your machine:

# semodule -lfull

Please tell us more about the kubernetes_file_t type:

# seinfo -tkubernetes_file_t -x


SELinux policy packages shipped in RHEL-8.x do not define kubernetes_file_t type, even if the container-selinux package is installed:

# seinfo -tkubernetes_file_t -x

Types: 0
# semodule -lfull | grep container
200 container         pp         
#

Comment 17 Micah Abbott 2021-05-10 16:13:46 UTC

Created attachment 1781757 [details]
semodule -l full

Comment 18 Micah Abbott 2021-05-10 17:58:27 UTC

```
sh-4.4# seinfo -tkubernetes_file_t -x

Types: 1
   type kubernetes_file_t, file_type, non_auth_file_type, non_security_file_type;
```

See the attachment with the semodules, too.

Comment 19 Zdenek Pytela 2021-05-10 19:15:33 UTC

kubernetes_file_t is a part of container-selinux and I think this problem needs to be addressed there:

# rpm -q container-selinux
container-selinux-2.158.0-1.module+el8.4.0+10607+f4da7515.noarch

# seinfo -tkubernetes_file_t -x

Types: 1
   type kubernetes_file_t, file_type, non_auth_file_type, non_security_file_type;

Comment 21 Daniel Walsh 2021-05-11 13:03:54 UTC

https://github.com/containers/container-selinux/releases/tag/v2.162.0

Now we need to get this packaged up for RHEL.

Comment 29 Daniel Walsh 2021-06-11 13:29:04 UTC

This should be in the current version of container-selinux.

Comment 30 Jindrich Novy 2021-06-15 10:37:50 UTC

Fix for this was released via RHSA-2021:2371: https://errata.devel.redhat.com/advisory/76279/builds

Comment 35 Daniel Walsh 2021-08-25 12:27:22 UTC

Will be in v2.165.1. (I had a typo in the previous version).

This should show up in RHEL 8.5

Comment 40 Daniel Walsh 2021-08-26 10:43:17 UTC

I would be fine with backporting the entire container-selinux to RHEL8.4

Comment 46 errata-xmlrpc 2021-11-09 17:37:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4154

Comment 47 Red Hat Bugzilla 2023-09-15 01:06:11 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.

aos-bugs
dornelas
dwalsh
ercohen
itsoiref
jligon
jnovy
keyoung
lvrabec
mavazque
miabbott
mmalik
mrussell
nstielau
pablo.iranzo
plautrba
rfreiman
rrubins
shardy
ssekidde
tsweeney
walters
ypu
zpytela