From e8d8ae3b97ea77ab21b2ab05cc6b5c00541bc527 Mon Sep 17 00:00:00 2001 From: Jacob Blain Christen Date: Fri, 6 Nov 2020 11:18:35 -0700 Subject: [PATCH] cri: selinux relabel /dev/shm Address an issue originally seen in the k3s 1.3 and 1.4 forks of containerd/cri, https://github.com/rancher/k3s/issues/2240 Even with updated container-selinux policy, container-local /dev/shm will get mounted with container_runtime_tmpfs_t because it is a tmpfs created by the runtime and not the container (thus, container_runtime_t transition rules apply). The relabel mitigates such, allowing envoy proxy to work correctly (and other programs that wish to write to their /dev/shm) under selinux. Tested locally with: - SELINUX=Enforcing vagrant up --provision-with=shell,selinux,test-integration - SELINUX=Enforcing CRITEST_ARGS=--ginkgo.skip='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri - SELINUX=Permissive CRITEST_ARGS=--ginkgo.focus='HostIpc is true' vagrant up --provision-with=shell,selinux,test-cri Signed-off-by: Jacob Blain Christen --- pkg/cri/server/container_create_linux.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go index 3e6579093..f6555eea8 100644 --- a/pkg/cri/server/container_create_linux.go +++ b/pkg/cri/server/container_create_linux.go @@ -99,9 +99,10 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container sandboxDevShm = devShm } mounts = append(mounts, &runtime.Mount{ - ContainerPath: devShm, - HostPath: sandboxDevShm, - Readonly: false, + ContainerPath: devShm, + HostPath: sandboxDevShm, + Readonly: false, + SelinuxRelabel: true, }) } return mounts