Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1692369 - SELinux denies containers access to cephfs volume [NEEDINFO]
Summary: SELinux denies containers access to cephfs volume
Status: ON_QA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers
Version: 4.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Lokesh Mandvekar
QA Contact: weiwei jiang
Depends On:
Blocks: 1694045
TreeView+ depends on / blocked
Reported: 2019-03-25 13:03 UTC by Jan Safranek
Modified: 2019-04-15 06:55 UTC (History)
6 users (show)

Fixed In Version: container-selinux-2.94
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:
smilner: needinfo? (imcleod)

Attachments (Terms of Use)

Description Jan Safranek 2019-03-25 13:03:26 UTC
Not sure if it's the right component, feel free to reassign to selinux-policy.

When I start OCP 4.1 pod with a CephFS volume, the pod can't access the volume:

  ls: can't open '/vol1': Permission denied

Corresponding AVC:

Mar 25 12:02:31 ip-10-0-174-105 kernel: audit: type=1400 audit(1553515351.425:5): avc:  denied  { write } for  pid=73814 comm="sh" name="/" dev="ceph" ino=1 scontext=system_u:system_r:container_t:s0:c2,c23 tcontext=system_u:object_r:cephfs_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
RHCOS 410.8.20190322.0

How reproducible:

Steps to Reproduce:
1. Get a CephFS volume (not Ceph RBD!)
2. Use it in a pod
3. Read the volume in the pod

Additional info:
CephFS is a shared filesystem similar to Gluster or NFS. In RHEL8, CephFS is handled by "ceph" kernel module. It might have been fuse in RHEL7.

IMO, it should behave the same as other shared filesystems like Gluster or NFS - there should be a boolean like virt_use_ceph (or _cephfs?), which would be enabled by default on RHCOS.

Comment 1 Daniel Walsh 2019-03-26 10:48:34 UTC
Is it possbile to mount the cephs storage with a context mount?

mount -o context="system_u:object_r:container_file_t:s0"

Comment 2 Jan Safranek 2019-03-26 15:03:08 UTC
(In reply to Daniel Walsh from comment #1)
> Is it possbile to mount the cephs storage with a context mount?
> mount -o context="system_u:object_r:container_file_t:s0"

It is, however, all other shared volumes are handled using SELinux boolean and IMO CephFS should do the same.

Comment 3 Daniel Walsh 2019-03-27 10:28:03 UTC
Sure we can add the boolean, but this is far less secure.  

Specifically labeling the specific share to use prevents an excaped container run reading and writing other cephs shares not intended for containers.

Comment 4 Jan Safranek 2019-03-28 15:50:15 UTC
We're trying to make Kubernetes as less aware of underlying storage labeling as possible. We just pass context to CSI. And volumes are already mounted at that time.

Comment 5 Daniel Walsh 2019-03-28 23:55:56 UTC
Well at the expense of security.

container-selinux 2.94 has support for containers using cephs.

container_use_cephfs --> off

Note You need to log in before you can comment on or make changes to this bug.