Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a way to skip SELinux relabelling a volume #2656

Closed
rpkelly opened this issue Dec 13, 2022 · 1 comment
Closed

Create a way to skip SELinux relabelling a volume #2656

rpkelly opened this issue Dec 13, 2022 · 1 comment
Assignees
@bcressey
Labels
area/security Related to security aspects of the project status/in-progress This issue is currently being worked on type/enhancement New feature or request

Comments

@rpkelly
Copy link
Contributor

rpkelly commented Dec 13, 2022

What I'd like:
An option or series of options to skip relabeling all files in an attached volume.

Any alternatives you've considered:
Marking a volume readonly already this, but for obvious reasons is not always a workable solution.
@rpkelly rpkelly added type/enhancement New feature or request status/needs-triage Pending triage or re-evaluation labels Dec 13, 2022
@bcressey bcressey mentioned this issue Jan 17, 2023
Merged
@bcressey bcressey added area/security Related to security aspects of the project status/in-progress This issue is currently being worked on and removed status/needs-triage Pending triage or re-evaluation labels Jan 26, 2023
@bcressey
Copy link
Contributor

With the policy change in #2738, it is now possible to skip relabeling by mounting the filesystem with this option:

context=system_u:object_r:local_t:s0

(Using an object type other than local_t is not permitted.)

For CSI drivers, there is an additional hurdle. The mount command is frequently built to be SELinux-aware, and will query libselinux to see if it reports that SELinux is enabled. If not, it will silently discard SELinux-related options like context. libselinux in turn will check for a mounted selinuxfs and an /etc/selinux/config with the SELINUX= option set. These conditions are chosen so that most containers will report that SELinux is disabled unless the container specifically opts in.

So the first step is to add volumes for the CSI driver to mount the SELinux-related paths from the host:

volumes:
# other CSI driver volumes
- hostPath:
    path: /var/lib/kubelet
    type: Directory
  name: kubelet-dir
...
# SELinux specific volumes
- hostPath:
    path: /sys/fs/selinux
    type: Directory
  name: selinuxfs
- hostPath:
    path: /etc/selinux/config
    type: FileOrCreate
  name: selinux-config

Then the node agent needs to place these mounts in the expected location:

volumeMounts:
# other CSI driver volume mounts
- mountPath: /var/lib/kubelet
  mountPropagation: Bidirectional
  name: kubelet-dir
...
# SELinux specific volume mounts
- mountPath: /sys/fs/selinux
  name: selinuxfs
- mountPath: /etc/selinux/config
  name: selinux-config

After that, the mount option can be specified in the storage class for the CSI driver:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
  fsType: ext4
  type: gp3
mountOptions:
  - context="system_u:object_r:local_t:s0"

@yeazelm yeazelm mentioned this issue Mar 23, 2023
Closed
@rpkelly rpkelly mentioned this issue May 26, 2023
Open
@csuzhangxc csuzhangxc mentioned this issue Jul 28, 2023
Closed
@woehrl01 woehrl01 mentioned this issue Feb 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bcressey bcressey

Labels
area/security Related to security aspects of the project status/in-progress This issue is currently being worked on type/enhancement New feature or request
Projects
Bottlerocket Engineering Roadmap
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bcressey @rpkelly