securityContext Option Needed to Access /var/log when SELinux is Enabled
#190
Comments
ImranR98
changed the title
SecurityContext Option Needed to Access /var/log when SELinux is EnabledsecurityContext Option Needed to Access /var/log when SELinux is Enabled
|
@ImranR98: Thanks for opening an issue, it is currently awaiting triage. If you haven't already, please provide the following information:
In the meantime, you can:
DetailsI am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository. |
github-actions
bot
added
needs/triage
|
@ImranR98: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.
DetailsI am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project rr404/oss-governance-bot repository. |
|
/kind enhancement |
github-actions
bot
added
kind/enhancement
|
Note: Aside from this, there is something else preventing the agent from actually acting on the log files (it never bans my IP even when being hammered by Update: This is because the file can be read but not watched for changes. Not sure how to proceed from here. Update 2: Even after enabling Update 3: Finally got a custom SELinux policy that seems to work at least in basic testing (obviously not ideal since the policy needs to be applied on each node). This script applies the policy and patches CrowdSec: #!/bin/bash -e
# https://github.com/crowdsecurity/helm-charts/issues/190
# Define the policy file and module names
POLICY_FILE="/tmp/allow_logreader_to_watch_logs.te"
MODULE_FILE="/tmp/allow_logreader_to_watch_logs.mod"
PACKAGE_FILE="/tmp/allow_logreader_to_watch_logs.pp"
cat <<EOF >$POLICY_FILE # Create the policy file
module allow_logreader_to_watch_logs 1.0;
require {
class file { watch watch_reads };
class dir { watch };
type container_logreader_t;
type container_log_t;
};
allow container_logreader_t container_log_t:file { watch watch_reads };
allow container_logreader_t container_log_t:dir { watch };
EOF
checkmodule -M -m -o "$MODULE_FILE" "$POLICY_FILE" # Compile the policy file into a module
semodule_package -m $MODULE_FILE -o $PACKAGE_FILE # Package the module into a policy package
sudo semodule -i $PACKAGE_FILE # Install the policy package into SELinux
# Clean up
rm -f $POLICY_FILE $MODULE_FILE $PACKAGE_FILE
# Apply the required label to the deployment
kubectl patch -n production daemonset crowdsec-agent --type='strategic' -p '{
"spec": {
"template": {
"spec": {
"securityContext": {
"seLinuxOptions": {
"type": "container_logreader_t"
}
}
}
}
}
}' |
|
If it turns out to be impossible to get past the SELinux issues, maybe we could have a way to grab Traefik logs through an existing PVC instead of the chart automatically creating one for |
|
@ImranR98 your issues seems a bit related to me issue with Talos and Crowdsec, see #196 . Do you see the following log entries in your agent container log files just after the startup has been completed? If so, check my issue for a possible solution. |
To read Traefik logs, CrowdSec needs access to the
/var/log/containersdirectory, but this is inaccessible if the host has SELinux (like on Fedora).I found (source) that the solution (without disabling SELinux) is to add this option to the pod spec:
I assume this can't be added to the Helm chart by default (would probably error out on non-SELinux systems but I haven't checked), but it should still be possible to set this in
values.yamlbut doesn't appear to be. Could this option be added?Note: I'm grabbing Traefik logs by adding this to
values.yaml(maybe there's an alternative?):The text was updated successfully, but these errors were encountered: