cri: selinux relabel /dev/shm

dweomer · dweomer · commit e8d8ae3b97ea · 2020-11-06T12:05:17.000-07:00
Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, k3s-io/k3s#2240 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Tested locally with: - SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-integration - SELINUX=Enforcing CRITEST_ARGS=--ginkgo.skip='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri - SELINUX=Permissive CRITEST_ARGS=--ginkgo.focus='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
@@ -99,9 +99,10 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container
 			sandboxDevShm = devShm
 		}
 		mounts = append(mounts, &runtime.Mount{
-			ContainerPath: devShm,
-			HostPath:      sandboxDevShm,
-			Readonly:      false,
+			ContainerPath:  devShm,
+			HostPath:       sandboxDevShm,
+			Readonly:       false,
+			SelinuxRelabel: true,
 		})
 	}
 	return mounts

Original file line number	Diff line number	Diff line change
`@@ -99,9 +99,10 @@ func (c criService) containerMounts(sandboxID string, config runtime.Container`
`99`	`99`	`sandboxDevShm = devShm`
`100`	`100`	`}`
`101`	`101`	`mounts = append(mounts, &runtime.Mount{`
`102`		`- ContainerPath: devShm,`
`103`		`- HostPath: sandboxDevShm,`
`104`		`- Readonly: false,`
	`102`	`+ ContainerPath: devShm,`
	`103`	`+ HostPath: sandboxDevShm,`
	`104`	`+ Readonly: false,`
	`105`	`+ SelinuxRelabel: true,`
`105`	`106`	`})`
`106`	`107`	`}`
`107`	`108`	`return mounts`