New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.6.x: SElinux Relabelling broken for Kubernetes volume mounts #6767
Labels
Comments
Any feedback on this, please? |
Or atleast can someone confirm if this feature/process was removed for a good reason? I cannot seem to find anything in changelogs. |
Think i found the root cause. This opencontainers/selinux#172 seems to match. Update: That is the issue indeed. Built containerd with these changes: 768af24 |
This was referenced Apr 26, 2022
Fixed with #6865 |
This was referenced Apr 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The issue was originally reported here: coreos/fedora-coreos-tracker#1138 suspecting issue between FCOS
v35.20220213.3.0
and35.20220227.3.0
where containerd version upgraded from1.5.8
to1.6.0
in the latter. Most of the investigation details available on linked issue but in short:containerd
1.6.0/1.6.2
not relabelling volume mounts with context labels passed by kubelet for containers. Example containercoredns
with configmap volume mount, system running containerd1.5.8
:Corefile
is correctly labelled based on container's context label info provided by kubelet. However with1.6.x
:Corefile
is not relabelled at all which results in access deny as per audit log above.Based on actual container inspection,
selinux_relabel
is actually set:Also
mountLabel
is being passed by kubelet correctly as well:"mountLabel": "system_u:object_r:container_file_t:s0:c134,c755"
Steps to reproduce the issue
loading Caddyfile via flag: open /etc/coredns/Corefile: permission denied
.Describe the results you received and expected
spec.securityContext
of a container) SElinux context labels. However SElinux context labels being ignored.What version of containerd are you using?
containerd github.com/containerd/containerd v1.6.2 de8046a
Any other relevant information
Show configuration if it is related to CRI plugin.
The text was updated successfully, but these errors were encountered: