Allow kubelet_t to create a sock file kubelet_var_lib_t

[rhatdan]

No description provided.

[packit-as-a-service]

We were not able to find or create Copr project packit/containers-container-selinux-329 specified in the config with the following error:

Packit received HTTP 500 Internal Server Error from Copr Service. Check the Copr status page: https://copr.fedorainfracloud.org/status/stats/, or ask for help in Fedora Build System matrix channel: https://matrix.to/#/#buildsys:fedoraproject.org.

---

Unless the HTTP status code above is >= 500, please check your configuration for:

1. typos in owner and project name (groups need to be prefixed with @)
2. whether the project name doesn't contain not allowed characters (only letters, digits, underscores, dashes and dots must be used)
3. whether the project itself exists (Packit creates projects only in its own namespace)
4. whether Packit is allowed to build in your Copr project
5. whether your Copr project/group is not private

[rhatdan]

@lsm5 ANy idea what is blowing up with rpm-builds?

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

Tests failed. @containers/packit-build please check.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

Tests failed. @containers/packit-build please check.

[Tal-or]

@rhatdan After testing it locally on my nodes I got the following error under the pods:

  Warning  Failed          8s                 kubelet            Error: container create failed: time="2024-09-17T21:56:46Z" level=error msg="runc create failed: unable to start container process: error during container init: write /proc/self/attr/keycreate: invalid argument"

The pods are running with the kubelet_var_lib_t context
However maybe I was doing something wrong while testing it.
This is how I tested it:

1. cloned the branch with the changes
2. make
3. convert the container.pp to container.cil
4. copying all the rules that are dealing with kubelet_var_lib_t to the existing container.cil on my system
5. installing the modified container.cil with sudo semodule -i container.cil

[Tal-or]

My bad it the pod was suppose to be running as container_device_plugin_t.
So I did.
But the pod resources API socket is still created as container_var_lib_t

But as I said in my previous comment, maybe i'm testing it wrong because I didn't manage to build the package and fully load it on my system.

[lsm5]

My bad it the pod was suppose to be running as container_device_plugin_t. So I did. But the pod resources API socket is still created as container_var_lib_t

But as I said in my previous comment, maybe i'm testing it wrong because I didn't manage to build the package and fully load it on my system.

@Tal-or would you be able to install the package built in the CI copr jobs. See https://copr.fedorainfracloud.org/coprs/packit/containers-container-selinux-329/build/8024924/

[Tal-or]

My bad it the pod was suppose to be running as container_device_plugin_t. So I did. But the pod resources API socket is still created as container_var_lib_t
But as I said in my previous comment, maybe i'm testing it wrong because I didn't manage to build the package and fully load it on my system.

@Tal-or would you be able to install the package built in the CI copr jobs. See https://copr.fedorainfracloud.org/coprs/packit/containers-container-selinux-329/build/8024924/

Thank you @lsm5 are those builds compatible with RHCOS ?

[Tal-or]

Thank you @lsm5 I managed to install the package, using: https://download.copr.fedorainfracloud.org/results/packit/containers-container-selinux-329/epel-9-x86_64/08024926-container-selinux/

@rhatdan We're still having an issue with transitioning the socket from container_var_lib_t to kubelet_var_lib_t:

[root@cnfdf08 kubelet]# ls -Z pod-resources/
system_u:object_r:container_var_lib_t:s0 kubelet.sock

If i'm running restorecon the file gets the correct label.

This are the rules I extracted from the cil file:

(typetransition kubelet_t container_var_lib_t sock_file "kubelet.sock" kubelet_var_lib_t)
(typetransition kubelet_t var_lib_t sock_file "kubelet.sock" kubelet_var_lib_t)

[rhatdan]

Can you remove the kubelet.sock and restart the service to see if it gets created with the wrong label?

[Tal-or]

Can you remove the kubelet.sock and restart the service to see if it gets created with the wrong label?

It does created with the wrong label. I checked that.

[Tal-or]

[root@cnfdf08 kubelet]# systemctl stop kubelet
[root@cnfdf08 kubelet]# rm -rf pod-resources
[root@cnfdf08 kubelet]# systemctl start kubelet
[root@cnfdf08 kubelet]# ls -Z pod-resources/
system_u:object_r:container_var_lib_t:s0 kubelet.sock

[Tal-or]

I think I found a way:
we should replace:

filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, sock_file, "kubelet.sock")

with

filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")

this transition works and kubelet.sock will inherent kubelet_var_lib_t type from its parent directory i.e pod-resources.
There are no other files in the pod-resources directory so no other files will be affected.

[Tal-or]

@rhatdan I tested and verified locally on my system and it works as expected.
From my POV we can merge this PR. Thank you very much