Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] - selinux issues with package container-selinux on 2023.6.20241010 #823

Open
dlouzan opened this issue Oct 25, 2024 · 4 comments
Open
Labels
bug Something isn't working

Comments

@dlouzan
Copy link

dlouzan commented Oct 25, 2024

We have started updating our instances to the latest released version 2023.6.20241010, and this is causing issues on the hosts where we run k3s workloads.

We have been running the enforced mode on these hosts for a long time without problems, but after updating the system to 2023.6.20241010, k3s started dying with audit log selinux messages. Setting selinux to permissive made it work again.

$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

After the update, a simple reinstall of the container-selinux package fails with error Failed to resolve AST:

$ sudo dnf install -y container-selinux
Last metadata expiration check: 0:21:22 ago on Fri Oct 25 08:03:48 2024.
Dependencies resolved.
===========================================================================================================================================================================================================
 Package                                             Architecture                             Version                                                  Repository                                     Size
===========================================================================================================================================================================================================
Installing:
 container-selinux                                   noarch                                   2:2.222.0-325.amzn2023                                   amazonlinux                                    55 k

Transaction Summary
===========================================================================================================================================================================================================
Install  1 Package

Total download size: 55 k
Installed size: 67 k
Downloading Packages:
container-selinux-2.222.0-325.amzn2023.noarch.rpm                                                                                                                          187 kB/s |  55 kB     00:00    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                      104 kB/s |  55 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                   1/1 
  Running scriptlet: container-selinux-2:2.222.0-325.amzn2023.noarch                                                                                                                                   1/1 
  Installing       : container-selinux-2:2.222.0-325.amzn2023.noarch                                                                                                                                   1/1 
  Running scriptlet: container-selinux-2:2.222.0-325.amzn2023.noarch                                                                                                                                   1/1 
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:2891
Failed to resolve AST
/usr/sbin/semodule:  Failed!
  Verifying        : container-selinux-2:2.222.0-325.amzn2023.noarch                                                                                                                                   1/1 
Installed:
  container-selinux-2:2.222.0-325.amzn2023.noarch                                                                                                                                                          
Complete!

Interestingly, the dnf command succeeds, even though it clearly failed, and no semodule was installed for container as we can see on hosts where we have not yet updated:

$ sudo semodule --list=full | grep -e container -e cgroup
100 cgroup            pp
# No `200 container pp` as expected

The package seems to have been bumped to 2.222.0-325.amzn2023 a long time ago, so we assume this is something with the system update in this release, see release notes for 2023.2.20231018: https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.2.20231018.html

Checking dmesg, we can see the following error, pointing to user_namespace not being defined:

[   60.080300] SELinux:  Class user_namespace not defined in policy.
[   60.080790] SELinux: the above unknown classes and permissions will be allowed
[   60.081446] SELinux:  Converting 341 SID table entries...
[   60.088132] SELinux:  policy capability network_peer_controls=1
[   60.088604] SELinux:  policy capability open_perms=1
[   60.088986] SELinux:  policy capability extended_socket_class=1
[   60.089444] SELinux:  policy capability always_check_network=0
[   60.089889] SELinux:  policy capability cgroup_seclabel=1
[   60.090298] SELinux:  policy capability nnp_nosuid_transition=1
[   60.090748] SELinux:  policy capability genfs_seclabel_symlinks=1
[   60.091212] SELinux:  policy capability ioctl_skip_cloexec=0

Any hints will be appreciated, thanks.

/cc @bufferoverflow

@ozbenh ozbenh added the bug Something isn't working label Oct 26, 2024
@ozbenh
Copy link

ozbenh commented Oct 26, 2024

Thanks for the report, I've given a heads up to the relevant team

@elsaco
Copy link

elsaco commented Oct 26, 2024

The container-selinux available in the repo has Build Date : Thu Oct 5 00:52:53 2023. Building container-selinux-2.222.0-325.amzn2023.src.rpm on Amazon Linux 2023.6.20241010 there is no errors installing the package, and the module is available:

[ec2-user ~]$ sudo semodule --list-modules=full | egrep 'container|cgroup'
200 container            pp
100 cgroup               pp

Trying to install the container-selinux provided by the repo fails with Current mode: permissive also, so enforcing is not required to check the bug.

@bufferoverflow
Copy link

It seems that al-2023 does not set no_user_namespace so I had to manually execute sed -i '/user_namespace/d' container.te while installing from source.

@szarkos
Copy link

szarkos commented Oct 29, 2024

Thank you for reporting this. We are prepping an update to container-selinux for this next release cycle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants