Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1600818 - Fluentd pod's process should not run with selinux context spc_t as this gives them full access to the node.
Summary: Fluentd pod's process should not run with selinux context spc_t as this gives...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers
Version: 3.7.1
Hardware: All
OS: Unspecified
Target Milestone: ---
: 3.7.z
Assignee: Daniel Walsh
QA Contact: weiwei jiang
Depends On:
TreeView+ depends on / blocked
Reported: 2018-07-13 06:19 UTC by Anshul Verma
Modified: 2019-03-30 07:06 UTC (History)
9 users (show)

Fixed In Version: container-selinux-2.89
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Anshul Verma 2018-07-13 06:19:48 UTC
Description of problem:

Hello Team,

For logging, the fluentd pods need to read the /var/log with other mount points. Usually the regular pods with Restricted SCC, the pod's process run with 'container_runtime_t' SELinux context but as the fluentd pods need more privilege the pods' processes are running with spc_t SELinux context, which is too permissive as it gives the pod full access of the node on which it is running than it needs as it securityContext is set as privileged: true in the DeamonSet.
LABEL                             PID TTY          TIME CMD
system_u:system_r:container_t:s0:c745,c869 1 ? 00:00:00 pod
system_u:system_r:spc_t:s0         10 ?        00:09:49 fluentd
system_u:system_r:spc_t:s0         72 ?        00:00:00 sh
system_u:system_r:spc_t:s0         88 ?        00:00:00 ps
While check this we observed that when container-selinux-2.55 the pods' process runs with 'container_runtime_t'. When container-selinux version is  2.66 i.e container-selinux-2.66 the context 'container_runtime_t' transitions to 'spc_t'.
The docker is running with 'container_runtime_t' context only in both the above cases. Check on docker version 1.12 and 1.13 both.

Can we have something so that the fluentd pods do not that much of access of the nodes on which its pod is running?

Comment 2 Daniel Walsh 2018-07-25 17:57:49 UTC
container-selinux now has a type of container_logreader_t.  Which I would love to have someone try out to see if it can work with this.

Comment 16 Daniel Walsh 2018-10-27 12:50:49 UTC
You can specify the SELinux type to run containers with kubernetes as well.

To assign SELinux labels to a Container, include the seLinuxOptions field in the securityContext section of your Pod or Container manifest. The seLinuxOptions field is an SELinuxOptions object. Here’s an example that applies an SELinux level:

    level: "s0:c123,c456"

I believe 
    type: "containrer_logreader_t"

Should work.

Comment 20 Daniel Walsh 2019-03-08 19:58:08 UTC
Fixed in container-selinux-2.89

Note You need to log in before you can comment on or make changes to this bug.