Merge pull request #4705 from dweomer/selinx-relabel-dev-shm-but-not-with-hostipc

estesp · web-flow · commit 8efb17cc99c7 · 2020-11-16T21:27:54.000-05:00
cri: selinuxrelabel=false for /dev/shm w/ host ipc
diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
@@ -102,7 +102,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 			ContainerPath:  devShm,
 			HostPath:       sandboxDevShm,
 			Readonly:       false,
-			SelinuxRelabel: true,
+			SelinuxRelabel: sandboxDevShm != devShm,
 		})
 	}
 	return mounts
diff --git a/pkg/cri/server/container_create_linux_test.go b/pkg/cri/server/container_create_linux_test.go
@@ -455,9 +455,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      true,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -480,9 +481,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},
@@ -553,9 +555,10 @@ func TestContainerMounts(t *testing.T) {
 					Readonly:      false,
 				},
 				{
-					ContainerPath: "/dev/shm",
-					HostPath:      filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
-					Readonly:      false,
+					ContainerPath:  "/dev/shm",
+					HostPath:       filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"),
+					Readonly:       false,
+					SelinuxRelabel: true,
 				},
 			},
 		},

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ func (c criService) containerMounts(sandboxID string, config runtime.Container`
`102`	`102`	`ContainerPath: devShm,`
`103`	`103`	`HostPath: sandboxDevShm,`
`104`	`104`	`Readonly: false,`
`105`		`- SelinuxRelabel: true,`
	`105`	`+ SelinuxRelabel: sandboxDevShm != devShm,`
`106`	`106`	`})`
`107`	`107`	`}`
`108`	`108`	`return mounts`