core-dump-handler icon indicating copy to clipboard operation
core-dump-handler copied to clipboard
verified publisher icon IBM

SELinux blocks cdc from running

Open gugu opened this issue 2 years ago • 2 comments

I'm trying to setup core-dump-handler, but get this error in journalctl:

Mar 22 17:22:44 ip-172-30-18-62.ec2.internal kernel: audit: type=1400 audit(1679505764.849:16): avc:  denied  { execute } for  pid=636018 comm="kworker/u4:2" name="cdc" dev="nvme1n1p1" ino=576664 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:local_t:s0 tclass=file permissive=0
Mar 22 17:22:44 ip-172-30-18-62.ec2.internal kernel: Core dump to |/var/mnt/core-dump-handler/cdc pipe failed

OS: Bottlerocket OS 1.12.0 (aws-k8s-1.24)

Replacing |/var/mnt/core-dump-handler/cdc -c=%c -e=%e -p=%p -s=%s -t=%t -d=/var/mnt/core-dump-handler/cores -h=%h -E=%E with |/bin/tee /var/mnt/core-dump-handler/cores/%p, so looks like the problem is external mount

gugu avatar Mar 22 '23 20:03 gugu

Facing the same problem. You replaced core_pattern manually or you changed it somewhere in chart configuration?

idavydoff avatar Sep 08 '25 12:09 idavydoff

Hello,

I encountered this issue as well. OS image: Bottlerocket OS 1.44.0 (aws-k8s-1.33)

I installed and configured the chart. I triggered a segfault using kubectl run -i -t segfaulter --image=quay.io/icdh/segfaulter --restart=Never

The crash was not generated, so I had to connect to the admin container and then access the host filesystem to get /var/log/dmesg kernel messages to see that the SELinux policy had prevented it from executing the composer:

Jul 09 15:00:04 ip-xxx.compute.internal audit[14651]: AVC avc:  denied  { nosuid_transition } for  pid=14651 comm="kworker/u8:0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:forbidden_t:s0 tclass=process2 permissive=0
Jul 09 15:00:04 ip-xxx.compute.internal audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:kernel_t:s0 newcontext=system_u:system_r:forbidden_t:s0
Jul 09 15:00:04 ip-xxx.compute.internal audit[14651]: AVC avc:  denied  { execute_no_trans } for  pid=14651 comm="kworker/u8:0" path="/var/mnt/core-dump-handler/cdc" dev="nvme1n1p1" ino=38155032 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:local_t:s0 tclass=file permissive=0

We can see here that the kernel was denied of spawning a process in the forbidden_t context (kernel->mutable objects).

The following rule prevents any process not part of the main image (not read only, so mutable) to be executed : https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/8.1.x/packages/selinux-policy/rules.cil#L183

@No9, maybe you have an idea how to workaround this restriction...

Thanks in advance!

np-c0mp1ete avatar Oct 17 '25 18:10 np-c0mp1ete