AVC denied for docker while trying to set labels for tmpfs mounts

Sujithra P sujithrap at gmail.com
Wed Jul 21 22:17:38 UTC 2021 

Thanks Paul!

Is there any specific centos/RH mailing list that I can ask? Not sure
whether it is a problem with kernel/docker/kubelet.
semodule -R seems to fix the problem, but not sure what is causing the
loaded policy to get corrupt.
Any insight on how to figure this out would be very much appreciated.

Thanks
Sujithra.

On Wed, Jul 21, 2021 at 2:01 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Wed, Jul 21, 2021 at 2:46 PM Sujithra P <sujithrap at gmail.com> wrote:
> >
> > Hi SELinux Experts,
> >
> > The following issue is described in the below post as well.
> > https://github.com/containers/container-selinux/issues/141
> >
> > Occasionally running into the following selinux denials for docker
> >
> > type=AVC msg=audit(1626732057.636:4583): avc:  denied  { associate }
> > for  pid=57450 comm="dockerd" name="/" dev="tmpfs" ino=150014
> > scontext=system_u:object_r:container_file_t:s0:c263,c914
> > tcontext=system_u:object_r:lib_t:s0 tclass=filesystem permissive=0
> >
> > type=AVC msg=audit(1626812823.170:9434): avc:  denied  { associate }
> > for  pid=20027 comm="dockerd" name="/" dev="tmpfs" ino=198147
> > scontext=system_u:object_r:container_file_t:s0:c578,c672
> > tcontext=system_u:object_r:locale_t:s0 tclass=filesystem permissive=0
> >
> >
> >  level=error msg="Handler for POST
> > /v1.40/containers/a3a875e7896384e3bff53b8317e91ed4301a13957f42187eb227f28e09bd877c/start
> > returned error: error setting label on mount source
> > '/var/lib/kubelet/pods/f7cee5b2-bcd9-4aa1-9d67-c75b677ba2a1/volumes/kubernetes.io~secret/secret':
> > failed to set file label on
> > /var/lib/kubelet/pods/f7cee5b2-bcd9-4aa1-9d67-c75b677ba2a1/volumes/kubernetes.io~secret/secret:
> > permission denied"
> >
> >
> > Docker is not able to set labels for these tmpfs mounts because they
> > end up having wrong labels when they are created (sometimes
> > "locale_t", sometimes "lib_t" which of course is not the
> > default/correct context for tmpfs fs).
> > Apparently semodule -R and deleting these tmps files or reboot of the
> > node fixes the problem.
> > Not sure what is causing the tmpfs mounts to get wrong labels in the
> > first place.
> >
> > Everything seems to be fine to begin with, but as the system keeps
> > scheduling pods on the node, this behavior is observed sometimes (not
> > consistent always).
> >
> >
> > OS Details:
> >
> > NAME="CentOS Linux"
> > VERSION="8 (Core)"
> > ID="centos"
> > ID_LIKE="rhel fedora"
> > VERSION_ID="8"
> > PLATFORM_ID="platform:el8"
> > PRETTY_NAME="CentOS Linux 8 (Core)"
> >
> > Docker Version:
> > Client: Docker Engine - Community
> > Version: 19.03.13
> > API version: 1.40
> > Go version: go1.13.15
> > Git commit: 4484c46d9d
> > Built: Wed Sep 16 17:02:36 2020
> > OS/Arch: linux/amd64
> > Experimental: false
> >
> > Kubernetes Version*
> > v1.20.8-gke.1500
> >
> >
> > Any help on how to debug this issue  would be greatly appreciated.
>
> This sounds like it might be a problem with CentOS and/or your Docker
> install, have you tried talking with the RH/CentOS folks about this
> problem?  We focus mostly on upstream issues here and it isn't clear
> to me at this moment that this is an upstream issue.
>
> --
> paul moore
> www.paul-moore.com

More information about the Linux-security-module-archive mailing list