You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenShift 4.2 appears to use Cri-O 1.14, which predates Cri-O/OpenShift issue openshift/origin#25488, where using the host's IPC/pid/net namespace forces the use of the spc_t process label. As such, this issue is currently undetectable in current versions of Cri-O/OpenShift.
For versions unaffected by the linked OpenShift issue, the gremlin.process process label produced by these SELinux policies is unable to invoke runc to create sidecars due to missing SELinux policies.
Reproduction
Follow the described steps for installing Gremlin and these SELinux policies on OpenShift 4.2
Try to attack a Kubernetes service
Expected: attacks work Actual: attacks fail, avc denials can be found in /var/log/audit/audit.log
The text was updated successfully, but these errors were encountered:
Background
OpenShift 4.2 appears to use Cri-O 1.14, which predates Cri-O/OpenShift issue openshift/origin#25488, where using the host's IPC/pid/net namespace forces the use of the
spc_tprocess label. As such, this issue is currently undetectable in current versions of Cri-O/OpenShift.For versions unaffected by the linked OpenShift issue, the
gremlin.processprocess label produced by these SELinux policies is unable to invokeruncto create sidecars due to missing SELinux policies.Reproduction
Expected: attacks work
Actual: attacks fail, avc denials can be found in
/var/log/audit/audit.logThe text was updated successfully, but these errors were encountered: