Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2006050

Summary: kubelet is running with the SELinux type "unconfined_service_t "
Product: OpenShift Container Platform Reporter: Divyam Pateriya <dpateriy>
Component: RHCOSAssignee: RHCOS Bug Triage <rhcos-triage>
Status: CLOSED DUPLICATE QA Contact: Michael Nguyen <mnguyen>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.7CC: aos-bugs, dornelas, harpatil, jligon, josorior, lucab, mrussell, nstielau, travier
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-04 07:16:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Divyam Pateriya 2021-09-20 18:39:46 UTC
Description of problem: Compliance operator: kubelet is running with the SELinux type "unconfined_service_t"


Version-Release number of selected component (if applicable):
OCP 4.7

How reproducible:
100%

Steps to Reproduce:
1. Take SSH to any of the OCP nodes

2. Execute the below command:

   $sudo ps -eZ | grep "unconfined_service_t"

   system_u:system_r:unconfined_service_t:s0 1748 ? 3-18:43:59 kubelet
 
Actual results:

Daemons that run with the unconfined_service_t context may cause AVC denials,
or allow privileges that the daemon does not require.

Kubelet is running with SELinux type "unconfined_service_t"

Expected results:

There should be no unconfined daemons running on the system, the following command should produce no output:

$ sudo ps -eZ | grep "unconfined_service_t"

Additional info:

The above findings came after running a compliance scan with profile "rhcos4-moderate" and currently, there is no way to address the above issue.

id: xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons

Comment 2 Luca BRUNO 2021-10-04 07:16:36 UTC
Duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1984226.
The above has been fixed in 4.7.30, but this ticket does not mention the actual cluster version.
I'm closing this, please make sure that the whole cluster is upgraded to the latest 4.7.x release (currently: 4.7.32) where this should be already fixed.

*** This bug has been marked as a duplicate of bug 1984226 ***