SELinux Policy for OpenShift Containers

Zhimin Wen
6 min readOct 2, 2021

I was exploring Cilium on OpenShift, this paper is a summary of what is required for a container to run properly in OpenShift where SELinux is turned on by default.

The Problem

After installing the Cilium, the hubble-relay is not able to connect to the hubble through the Unix socket and therefore the hubble UI is not able to show the connection topologies. The log of this error is shown below,

level=warning msg="Failed to create peer client for peers synchronization; will try again after the timeout has expired" error="context deadline exceeded" subsys=hubble-relay target="unix:///var/run/cilium/hubble.sock"

Simulated App

To focus on the issue, the hubble and the hubble-relay app are simplified as two separate processes that share their communication through a Unix socket. The main process listens on a Unix socket, upon a client connection, it echoes the input back to the client.

func main() {
socketFile := os.Getenv("APP_UNIX_SOCK")
if socketFile == "" {
socketFile = "/var/run/app.sock"
}
err := os.RemoveAll(socketFile)
if err != nil {
logrus.Fatalf("Failed to remove socket file: %v", err)
}
listener, err := net.Listen("unix", socketFile)
if err != nil {
logrus.Fatalf("Failed to listen on socket file: %s", err)
}
defer listener.Close()
for {
client, err := listener.Accept()
if err != nil {
log.Fatalf("Error on accept: %s", err)
}
logrus.WithFields(logrus.Fields{
"local": client.LocalAddr(),
"remote": client.RemoteAddr(),
}).Infof("client connected")
go func(c net.Conn) {
io.Copy(c, c)
}(client)
}
}

For the client app, we just use netcat to connect to the Unix socket.

Compile and build the container image, push it into the OpenShift internal registry.

Deployment

Create the following deployment file for the server,

apiVersion: apps/v1
kind: Deployment
metadata:
name: server
labels:
app: server
spec:
replicas: 1
selector:
matchLabels:
app: server
template:
metadata:
labels…

--

--