Bug 1868122

Summary: SELinux pod settings alter the behavior of SELinux categories
Product: OpenShift Container Platform Reporter: Jed Lejosne <jlejosne>
Component: NodeAssignee: Giuseppe Scrivano <gscrivan>
Status: CLOSED ERRATA QA Contact: MinLi <minmli>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: aos-bugs, jokerman, sjenning
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:27:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Giuseppe Scrivano 2020-08-12 09:59:35 UTC 
I am not sure this is an issue, if you want a specific level you can do it with:

apiVersion: v1
kind: Pod
metadata:
  name: pod
spec:
  securityContext:
    seLinuxOptions:
      user: system_u
      level: s0:c683,c783
  containers:
    - name: c1
      image: fedora
      command: [ "/bin/sleep", "1d" ]
    - name: c2
      image: fedora
      command: [ "/bin/sleep", "1d" ]

As Dan Walsh suggested on the upstream issue, it is better to not specify any and let the runtime pick the correct setting
Comment 2 Jed Lejosne 2020-08-12 12:22:42 UTC 
To me, the fact that an option unrelated to categories changes the core way categories are managed is an issue.

Manually specifying a level is a non-starter. I don't know which categories are available, I don't even know which node my pod will run on!

Finally, if these options are not meant to be used, they should probably be removed...
Comment 3 Giuseppe Scrivano 2020-08-12 14:07:40 UTC 
PR here: https://github.com/cri-o/cri-o/pull/4071
Comment 4 Jed Lejosne 2020-08-12 14:49:34 UTC 
Thank you! I reviewed the PR and left a comment.
Comment 7 MinLi 2020-08-20 03:34:48 UTC 
verified in version : 4.6.0-0.nightly-2020-08-18-165040

$ oc exec -it pod -c c1 -- /bin/ls -Zd /
system_u:object_r:container_file_t:s0:c200,c907 /

$ oc exec -it pod -c c2 -- /bin/ls -Zd /
system_u:object_r:container_file_t:s0:c200,c907 /
Comment 9 errata-xmlrpc 2020-10-27 16:27:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196