Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect selinux context showed #4741

Closed
bguzman-3pillar opened this issue Sep 7, 2023 · 2 comments
Closed

Incorrect selinux context showed #4741

bguzman-3pillar opened this issue Sep 7, 2023 · 2 comments
Assignees
Labels
kind/bug Something isn't working

Comments

@bguzman-3pillar
Copy link
Contributor

Environmental Info:
RKE2 Version:

## RKE2 version used
rke2 version v1.25.12+rke2r1 (a0aa49e91d86a9a5eec8d94cdab13afabe11bfb6)
go version go1.20.6 X:boringcrypto

Node(s) CPU architecture, OS, and Version:

## OS used to validate
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

Cluster Configuration:

1 server, 1 agent

Describe the bug:

Working on this automation task "Automate Selinux checks" rancher/qa-tasks#830
We found that context is not showed correctly for Rhel9.2. Using this guide https://github.com/rancher/rke2-selinux/blob/master/policy/centos9/rke2.fc to validate the correct context

Steps To Reproduce:

  • Install RKE2 with selinux enabled
  • Validate selinux is present running rpm -qa container-selinux rke2-server rke2-selinux
  • Validate this context is present correctly here
/etc/systemd/system/rke2.*                                          --  gen_context(system_u:object_r:container_unit_file_t,s0)
/lib/systemd/system/rke2.*                                          --  gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/rke2.*                                --  gen_context(system_u:object_r:container_unit_file_t,s0)

Expected behavior:

  • Context showed correctly
system_u:object_r:container_unit_file_t,s0

Actual behavior:

sudo ls -laZ /lib/systemd/system/rke2*
-rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0 859 Jul 31 17:43 /lib/systemd/system/rke2-server.service

Additional context / logs:

@galal-hussein
Copy link
Contributor

rke2-selinux 0.16.1 testing has been release for the testing channel, this issue can be verified with it.

@ShylajaDevadiga
Copy link
Contributor

Validated using rke2 version v1.28.3-rc4+rke2r1

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"

Reproduction results:

]$ ls -lZ /usr/lib/systemd/system/rke2-server.service
-rw-r--r--. 1 root root system_u:object_r:systemd_unit_file_t:s0 859 Jul 31 17:18 /usr/lib/systemd/system/rke2-server.service
$ rpm -qa |grep selinux
libselinux-3.5-1.el9.x86_64
libselinux-utils-3.5-1.el9.x86_64
python3-libselinux-3.5-1.el9.x86_64
selinux-policy-38.1.11-2.el9_2.2.noarch
selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
rpm-plugin-selinux-4.16.1.3-22.el9.x86_64
container-selinux-2.205.0-1.el9_2.noarch
rke2-selinux-0.15-1.el9.noarch

Validation results:

Context looks correct

$ ls -lZ /usr/lib/systemd/system/rke2-server.service
-rw-r--r--. 1 root root system_u:object_r:container_unit_file_t:s0 859 Oct 28 04:33 /usr/lib/systemd/system/rke2-server.service

$ rpm -qa |grep selinux
libselinux-3.5-1.el9.x86_64
libselinux-utils-3.5-1.el9.x86_64
python3-libselinux-3.5-1.el9.x86_64
selinux-policy-38.1.11-2.el9_2.2.noarch
selinux-policy-targeted-38.1.11-2.el9_2.2.noarch
rpm-plugin-selinux-4.16.1.3-22.el9.x86_64
container-selinux-2.205.0-1.el9_2.noarch
rke2-selinux-0.16-1.el9.noarch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants