2005997 – SELinux domain container_logreader_t does not have a policy to follow sym links for log files

Bug 2005997 - SELinux domain container_logreader_t does not have a policy to follow sym links for log files

Summary: SELinux domain container_logreader_t does not have a policy to follow sym lin...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	4.7
Hardware:	noarch
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Jindrich Novy
QA Contact:	pmali
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-20 16:07 UTC by Todd Johnson
Modified:	2022-03-10 16:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:	container-selinux-2.169.0-1.el9
Doc Type:	Bug Fix
Doc Text:	Cause: missing allow rules in policy Consequence: /var/log/containers log files unreadable Fix: https://github.com/containers/container-selinux/releases/tag/v2.169.0 Result: fixed
Clone Of:
Environment:
Last Closed:	2022-03-10 16:12:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:0056	0	None	None	None	2022-03-10 16:12:37 UTC

Description Todd Johnson 2021-09-20 16:07:48 UTC

Description of problem:
A container using the SELinux domain of container_logreader_t to read container logs on the host at /var/log cannot access the logs from /var/log/containers since those logs are a symbolic link to /var/log/pods.  All other log files in /var/log are accessible just not ones that are symlinks.

Version-Release number of selected component (if applicable):
4.7, 4.8 openshift
rhel 7.9 and 8.x

How reproducible:
Create a container with a host path to /var/log/. Set the security context to use selinux options type of container_logreader_t.  
Actual results:
From within the container, try to read from a log file at /var/log/containers.  You'll get a permission denied message, for example:

ls: cannot access 'prometheus-adapter-7ff45fb5d7-djj4c_openshift-monitoring_prometheus-adapter-52a62260297bdc91c64301f1b254d761f31c2c920946091df9219452d229ab72.log': Permission denied

The AVC error shows the following:

time->Mon Sep 20 10:00:58 2021
type=PROCTITLE msg=audit(1632150058.037:5751017): proctitle=6C73002D2D636F6C6F723D6175746F
type=SYSCALL msg=audit(1632150058.037:5751017): arch=c000003e syscall=6 success=no exit=-13 a0=7ffdfac56590 a1=564d17852a70 a2=564d17852a70 a3=0 items=0 ppid=32510 pid=33015 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid= egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:container_logreader_t:s0:c152,c493 key=(null)
type=AVC msg=audit(1632150058.037:5751017): avc:  denied  { getattr } for  pid=33015 comm="ls" path="/var/log/containers/prometheus-adapter-7ff45fb5d7-djj4c_openshift-monitoring_prometheus-adapter-52a62260297bdc91c64301f1b54d761f31c2c920946091df9219452d229ab72.log" dev="vda2" ino=3016396 scontext=system_u:system_r:container_logreader_t:s0:c152,c493 tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file permissive=0

sh-4.2# ls -la /var/log/containers/prom*
[1] 120154
sh-4.2# lrwxrwxrwx. 1 root root 132 Sep 20 07:08 /var/log/containers/prometheus-adapter-7ff45fb5d7-djj4c_openshift-monitoring_prometheus-adapter-52a62260297bdc91c64301f1b254d761f31c2c920946091df9219452d229ab72.log -> /var/log/pods/openshift-monitoring_prometheus-adapter-7ff45fb5d7-djj4c_52b6ed3d-3900-4e1d-bf5b-e5ee7f9f4c08/prometheus-adapter/0.log

I can read the log file from /var/log/pods just not via the symlink.


Expected results:

Log files should be readable via a symlink.

Additional info:
On my RHEL 7.9 host:

sh-4.2# rpm -q container-selinux
container-selinux-2.119.2-1.911c772.el7_8.noarch

I have the same problem on my 8.4 host which uses:
sh-4.4# rpm -q container-selinux
container-selinux-2.162.0-1.module+el8.4.0+11311+9da8acfb.noarch

On my 7.9 host, I used allow2audit (twice) to generate the following policy:

#============= container_logreader_t ==============
allow container_logreader_t var_log_t:lnk_file getattr
allow container_logreader_t var_log_t:lnk_file read;

Then it worked fine.

Comment 1 Tom Sweeney 2021-09-21 18:27:27 UTC

@dwalsh can you take a look at this and assign it to yourself, please?  The Bugzilla system isn't letting me change assignees at the moment.

Comment 11 Daniel Walsh 2021-10-05 23:12:38 UTC

We only rebase for EUS releases, and only if it is definitely a show stopper, IE No workaround.

Comment 14 Todd Johnson 2021-10-12 14:33:42 UTC

This is the type enforcement file I created to work around the problem:


module logreader-links 1.0;

require {
        type container_logreader_t;
        class lnk_file getattr;
        class lnk_file read;
        attribute logfile;
}

#============= container_logreader_t ==============
allow container_logreader_t logfile : lnk_file {getattr read};

Comment 15 Daniel Walsh 2021-10-13 14:10:16 UTC

Fixes are in https://github.com/fedora-selinux/selinux-policy/pull/898

Comment 16 Todd Johnson 2021-11-08 17:29:56 UTC

From what I can tell, the fix is included the the el9 RPM. Since this fix is important for logging agent pods, will this fix be back ported to existing RHEL/RH Coreos versions that are used for openshift worker nodes?

Comment 17 Tom Sweeney 2021-11-08 18:17:15 UTC

Todd,

Unless this is a blocker, I don't believe this will be backported to RH Coreos.  However @miabbott would have the definitive answer there.

Comment 18 Micah Abbott 2021-11-08 22:01:05 UTC

(In reply to Tom Sweeney from comment #17)
> Todd,
> 
> Unless this is a blocker, I don't believe this will be backported to RH
> Coreos.  However @miabbott would have the definitive answer there.

Based on the private comments on this BZ, there are no plans to backport this into RHEL 8.4, so it is not likely to land in any existing RHCOS/OCP releases.

Comment 24 errata-xmlrpc 2022-03-10 16:12:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Note You need to log in before you can comment on or make changes to this bug.