diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go index f6555eea8..6c4eaeb0b 100644 --- a/pkg/cri/server/container_create_linux.go +++ b/pkg/cri/server/container_create_linux.go @@ -102,7 +102,7 @@ func (c *criService) containerMounts(sandboxID string, config *runtime.Container ContainerPath: devShm, HostPath: sandboxDevShm, Readonly: false, - SelinuxRelabel: true, + SelinuxRelabel: sandboxDevShm != devShm, }) } return mounts diff --git a/pkg/cri/server/container_create_linux_test.go b/pkg/cri/server/container_create_linux_test.go index 6cad5f5c1..be6811e28 100644 --- a/pkg/cri/server/container_create_linux_test.go +++ b/pkg/cri/server/container_create_linux_test.go @@ -455,9 +455,10 @@ func TestContainerMounts(t *testing.T) { Readonly: true, }, { - ContainerPath: "/dev/shm", - HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"), - Readonly: false, + ContainerPath: "/dev/shm", + HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"), + Readonly: false, + SelinuxRelabel: true, }, }, }, @@ -480,9 +481,10 @@ func TestContainerMounts(t *testing.T) { Readonly: false, }, { - ContainerPath: "/dev/shm", - HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"), - Readonly: false, + ContainerPath: "/dev/shm", + HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"), + Readonly: false, + SelinuxRelabel: true, }, }, }, @@ -553,9 +555,10 @@ func TestContainerMounts(t *testing.T) { Readonly: false, }, { - ContainerPath: "/dev/shm", - HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"), - Readonly: false, + ContainerPath: "/dev/shm", + HostPath: filepath.Join(testStateDir, sandboxesDir, testSandboxID, "shm"), + Readonly: false, + SelinuxRelabel: true, }, }, },