You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Okay, so we introduced a new SELinux domain for Firecracker. We are using the jailer and doing the transition after the jailer to container_kvm_t.
We stumbled on the fact that the firecracker process started by the jailer is the one setting up the tun device required for network connections. This, for reasons I am less clear about, results in a tun_socket being created in the runtime_t domain (the domain that containerd, all the way to the jailer has), that Firecracker wants to relabel back to container_kvm_t.
I am not great at CIL and I am not great at SELinux, but I could not for my life figure out how or why this tun_socket requires to make the transition from runtime_t to container_kvm_t and doesn't get created in the container_kvm_t domain right away.
My only guess is that it is because "the other end" of the TUN device is picked up by the containerd shim process, which is in the runtime_t domain (to then be wired together with the CNI), but tbf the documentation about tun_socket in the SELinux context is relatively limited.
I, for now, unblocked myself by commenting out this neverallow statement and explicitly allowing this transition - but it does feel quite hacky and I am sure there is a better way.
In the context of Bottlerocket, do you have any recommendations in how to figure this out? Perhaps, for someone who is actually decent at CIL and SELinux this has a very obvious solution?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Okay, so we introduced a new SELinux domain for Firecracker. We are using the jailer and doing the transition after the jailer to
container_kvm_t.We stumbled on the fact that the
firecrackerprocess started by the jailer is the one setting up the tun device required for network connections. This, for reasons I am less clear about, results in atun_socketbeing created in theruntime_tdomain (the domain thatcontainerd, all the way to thejailerhas), that Firecracker wants to relabel back tocontainer_kvm_t.There is a
neverallowstatement in the SELinux policy here: https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/packages/selinux-policy/rules.cil#L340 which does not allow me to allow this specific relabeling as container_kvm_t ends up being an untrusted domain (as it should).I am not great at CIL and I am not great at SELinux, but I could not for my life figure out how or why this
tun_socketrequires to make the transition fromruntime_ttocontainer_kvm_tand doesn't get created in thecontainer_kvm_tdomain right away.My only guess is that it is because "the other end" of the TUN device is picked up by the containerd shim process, which is in the
runtime_tdomain (to then be wired together with the CNI), but tbf the documentation abouttun_socketin the SELinux context is relatively limited.I, for now, unblocked myself by commenting out this
neverallowstatement and explicitly allowing this transition - but it does feel quite hacky and I am sure there is a better way.In the context of Bottlerocket, do you have any recommendations in how to figure this out? Perhaps, for someone who is actually decent at CIL and SELinux this has a very obvious solution?
Beta Was this translation helpful? Give feedback.
All reactions