Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rancher-logging-root-fluentbit not working with policy centos9 #59

Open
xandradx opened this issue Jan 27, 2025 · 3 comments
Open

rancher-logging-root-fluentbit not working with policy centos9 #59

xandradx opened this issue Jan 27, 2025 · 3 comments
Assignees
@andypitcher

Comments

@xandradx
Copy link

xandradx commented Jan 27, 2025
edited
Loading

How to reproduce:

  • Install rancher-selinux RPM (rancher-selinux-0.5-1.el9.noarch)
  • Install rancher-logging (rancher-logging-105.2.0+up4.10.0) via HELM and enable SELinux

The pod rancher-logging-root-fluentbit keeps in a CrashLookBack status with error:

CrashLoopBackOff (back-off 10s restarting failed container=fluent-bit pod=rancher-logging-root-fluentbit-8tqk4_cattle-logging-system(d906ca04-0ad8-4e62-9f3b-651e4dda4e3c)) | Last state: Terminated with 1: Error, started: Mon, Jan 27 2025 1:48:06 pm, finished: Mon, Jan 27 2025 1:48:06 pm

Checking the SELinux logs

SELinux is preventing /fluent-bit/bin/fluent-bit from listen access on the tcp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that fluent-bit should be allowed listen access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'monkey: wrk/0' --raw | audit2allow -M my-monkeywrk0
# semodule -X 300 -i my-monkeywrk0.pp


Additional Information:
Source Context                system_u:system_r:rke_logreader_t:s0:c928,c942
Target Context                system_u:system_r:rke_logreader_t:s0:c928,c942
Target Objects                port None [ tcp_socket ]
Source                        monkey: wrk/0
Source Path                   /fluent-bit/bin/fluent-bit
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-38.1.45-3.el9_5.noarch
Local Policy RPM              rancher-selinux-0.5-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              5.14.0-503.21.1.el9_5.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Dec 19 09:37:00 EST 2024
                              x86_64 x86_64
Alert Count                   1
First Seen                    2025-01-27 13:48:21 CST
Last Seen                     2025-01-27 13:48:21 CST
Local ID                      166fb46c-4f55-4c36-a7e3-7dba00c42c99

Raw Audit Messages
type=AVC msg=audit(1738007301.42:135271): avc:  denied  { listen } for  pid=113449 comm=6D6F6E6B65793A2077726B2F30 lport=2020 scontext=system_u:system_r:rke_logreader_t:s0:c928,c942 tcontext=system_u:system_r:rke_logreader_t:s0:c928,c942 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1738007301.42:135271): arch=x86_64 syscall=listen success=no exit=EACCES a0=9c a1=80 a2=80 a3=7f175dff961c items=0 ppid=112744 pid=113449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=monkey: wrk/0 exe=/fluent-bit/bin/fluent-bit subj=system_u:system_r:rke_logreader_t:s0:c928,c942 key=(null)

Hash: monkey: wrk/0,rke_logreader_t,rke_logreader_t,tcp_socket,listen

The pod is running as this SElinux type: rke_logreader_t.

Reading the policy , it seem that it's missing allow rke_logreader_t self:tcp_socket { accept listen }; , to be able to run the pod.

I created a fork to test this:

main...xandradx:rancher-selinux:main#diff-df99d38fbf1b660ce4c515d14dbd7ca9bebdc43209d9e446753b0e4d1f5596b2

I built rancher-selinux-0.5-2.el9.noarch.rpm and installed it dnf localinstall /opt/CUSTOM/noarch/rancher-selinux-0.5-2.el9.noarch.rpm

Your comments if this is the proper way to handle this and if so this should be tested in the others OS releases as well.

Let me know if this works for you and I can create a PR and help you test it the other releases.
@andypitcher
Copy link
Contributor

Hey @xandradx, thanks for reporting this issue.

Could you confirm the following information:

  1. container-selinux package version
  2. selinux-policy package version
  3. Centos exact version

Cheers

@xandradx
Copy link
Author

xandradx commented Jan 28, 2025
edited
Loading

  1. container-selinux-2.232.1-1.el9.noarch
  2. selinux-policy-38.1.45-3.el9_5.noarch
  3. Red Hat Enterprise Linux release 9.5 (Plow) - Kernel 5.14.0-503.21.1.el9_5.x86_64

Cheers

@andypitcher
Copy link
Contributor

@xandradx thanks for the info, we will reproduce the issue and confirm the targeted change.

@andypitcher andypitcher self-assigned this Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andypitcher andypitcher

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andypitcher @xandradx