Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

recursive Relabel() skips symlinks #172

Closed
rrayst opened this issue Mar 17, 2022 · 1 comment
Closed

recursive Relabel() skips symlinks #172

rrayst opened this issue Mar 17, 2022 · 1 comment

Comments

@rrayst
Copy link
Contributor

rrayst commented Mar 17, 2022

Problem

As described in the comment, Relabel() should recursively change the SELinux label on a path and all entries beneath that path.

selinux/go-selinux/label/label_linux.go

Line 106 in c9f6104

// Relabel changes the label of path and all the entries beneath the path.

Currently, it skips symlinks (and instead relabels their targets).

Explanation

1b18907 changed the semantics of setFileLabel() from not-dereferencing to dereferencing symlinks before applying the label change. (It also introduced the non-dereferencing lSetFileLabel(): The setFileLabel/ lSetFileLabel semantics became the same as the one of the kernel syscalls setxattr/lsetxattr.)

Relabel() mentioned above calls (Relabel -> Chcon -> chcon ->) rchcon to get the job done. rchcon recursively calls setFileLabel on the path as well as on each item below.

selinux/go-selinux/rchcon.go

Lines 13 to 15 in c9f6104

func rchcon(fpath, label string) error {
return pwalkdir.Walk(fpath, func(p string, _ fs.DirEntry, _ error) error {
e := setFileLabel(p, label)

Solution

This should be changed to lSetFileLabel().

Result

When running Kubernetes (kubelet) 1.23.4 on top of containerD 1.6.0 on a SELinux-enabled system, this causes ConfigMaps to be unusuable by normal Pods:

[root@node ~]# ls -laZR /var/lib/kubelet/pods/2839514d-bc4b-4521-b029-5474a9c96fc5/volumes/kubernetes.io~configmap/config
/var/lib/kubelet/pods/2839514d-bc4b-4521-b029-5474a9c96fc5/volumes/kubernetes.io~configmap/config:
total 0
drwxrwsrwx. 3 root core system_u:object_r:container_file_t:s0:c294,c792 89 Mar 17 21:48 .
drwxr-xr-x. 3 root root system_u:object_r:container_var_lib_t:s0        20 Mar 17 21:48 ..
drwxr-sr-x. 2 root core system_u:object_r:container_file_t:s0:c294,c792 36 Mar 17 21:48 ..2022_03_17_21_48_25.904560199
lrwxrwxrwx. 1 root core system_u:object_r:container_var_lib_t:s0        31 Mar 17 21:48 ..data -> ..2022_03_17_21_48_25.904560199
lrwxrwxrwx. 1 root core system_u:object_r:container_var_lib_t:s0        29 Mar 17 21:48 demo.json -> ..data/demo.json

/var/lib/kubelet/pods/2839514d-bc4b-4521-b029-5474a9c96fc5/volumes/kubernetes.io~configmap/config/..2022_03_17_21_48_25.904560199:
total 4
drwxr-sr-x. 2 root core system_u:object_r:container_file_t:s0:c294,c792  36 Mar 17 21:48 .
drwxrwsrwx. 3 root core system_u:object_r:container_file_t:s0:c294,c792  89 Mar 17 21:48 ..
-rw-r--r--. 1 root core system_u:object_r:container_file_t:s0:c294,c792 350 Mar 17 21:48 demo.json

(In contrast to the directories and normal files, the symlinks have not been relabeled and are therefore not readable by any process running inside of the container.)
rrayst added a commit to rrayst/selinux that referenced this issue Mar 17, 2022
@rrayst
Fixes opencontainers#172.
c5a16ce 
Signed-off-by: Tobias Polley <polley@predic8.de>
@thaJeztah thaJeztah mentioned this issue Mar 21, 2022
Merged
@rrayst
Copy link
Contributor Author

rrayst commented Mar 23, 2022

Fixed by #173 .

@rrayst rrayst closed this as completed Mar 23, 2022
This was referenced Apr 25, 2022
Closed
Merged
Merged
Merged
Merged
cmurphy pushed a commit to cmurphy/k3s-containerd that referenced this issue Apr 25, 2022
@brandond
Pin opencontainers/selinux v1.10.1
87b5862 
Fixes symlink relabeling issue in
opencontainers/selinux#172

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@log1cb0mb log1cb0mb mentioned this issue Apr 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rrayst