Kube Flannel (> 0.14.1) does not start in SELinux enforcing mode

[tormath1]

Description

In latest CNI plugins versions (from 1.0.0), Flannel plugin has been removed. Starting from Kube Flannel version 0.15.0, plugin installation is defined in the manifest:

      - name: install-cni-plugin
        image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.2
        command:
        - cp
        args:
        - -f
        - /flannel
        - /opt/cni/bin/flannel
        volumeMounts:
        - name: cni-plugin
          mountPath: /opt/cni/bin

The path being mounted is /opt/cni/bin with the following label on the host machine:

$ ls -aliZ /opt/cni/
total 24
198 drwxr-xr-x. 3 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 .
 94 drwxr-xr-x. 6 root root system_u:object_r:usr_t:s0 4096 Feb 22 09:02 ..
199 drwxrwxr-x. 2 root root system_u:object_r:usr_t:s0 4096 Sep  7 19:49 bin

Which leads to the following SELinux error and prevents Flannel to start correctly in enforcing mode:

Feb 21 13:37:14.710000 audit[3217]: AVC avc:  denied  { write } for  pid=3217 comm="cp" name="bin" dev="sda9" ino=198 scontext=system_u:system_r:svirt_lxc_net_t:s0:c229,c794 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0

In the waiting of #479, we can patch the current selinux-virt as we already done for Flannel in this commit: flatcar-archive/coreos-overlay@56d2acd to provide /opt/cni(/.*)? a correct context.

This patch could be eventually upstreamed to https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/services/container.fc as soon as we integrated and tested this new policy.

Additional information

We can currently mitigate this issue by running a chcon command on the folder (see also: flatcar/mantle#297):

/usr/bin/chcon -R /opt/cni -t svirt_lxc_file_t

To reproduce

Run kubeadm.v1.23.4.flannel.base on any cloud provider; to assert the issue is fixed: revert the commit where chcon is added and re-run the test.

NOTE: This commit can be reverted once done: flatcar-archive/flatcar-docs@f77a06f