I am not sure this is an issue, if you want a specific level you can do it with: apiVersion: v1 kind: Pod metadata: name: pod spec: securityContext: seLinuxOptions: user: system_u level: s0:c683,c783 containers: - name: c1 image: fedora command: [ "/bin/sleep", "1d" ] - name: c2 image: fedora command: [ "/bin/sleep", "1d" ] As Dan Walsh suggested on the upstream issue, it is better to not specify any and let the runtime pick the correct setting
To me, the fact that an option unrelated to categories changes the core way categories are managed is an issue. Manually specifying a level is a non-starter. I don't know which categories are available, I don't even know which node my pod will run on! Finally, if these options are not meant to be used, they should probably be removed...
PR here: https://github.com/cri-o/cri-o/pull/4071
Thank you! I reviewed the PR and left a comment.
verified in version : 4.6.0-0.nightly-2020-08-18-165040 $ oc exec -it pod -c c1 -- /bin/ls -Zd / system_u:object_r:container_file_t:s0:c200,c907 / $ oc exec -it pod -c c2 -- /bin/ls -Zd / system_u:object_r:container_file_t:s0:c200,c907 /
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196