containerd: selinux not working under containerd with selinux-enable=true

Description

I have two k8s cluster, one using docker and another using containerd directly, both with selinux enabled. but I found selinux not actually working on the containerd one, although this two cluster have the same version of containerd and runc.

did i miss some setting with containerd?

Steps to reproduce the issue:

  1. enable selinux by setting [enable_selinux = true] in /etc/containerd/config.toml
  2. create pod using tomcat official image
  3. check the process and file label

Describe the results you received:

# kubectl exec tomcat -it -- ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:spc_t:s0          1 ?        00:00:00 java

# ls -Z /usr/local/openjdk-8/bin/java
system_u:object_r:container_var_lib_t:s0 /usr/local/openjdk-8/bin/java

Describe the results you expected:

# kubectl exec tomcat -it -- ps -eZ
LABEL                             PID TTY          TIME CMD
system_u:system_r:container_t:s0:c655,c743          1 ?        00:00:00 java

# ls -Z /usr/local/openjdk-8/bin/java
system_u:object_r:container_file_t:s0:c655,c743 /usr/local/openjdk-8/bin/java

Output of containerd --version:

# containerd -v
containerd  1.2.10 b34a5c8af56e510852c35414db4c1f4fa6172339

Any other relevant information: OS Centos7 rpm repo https://download.docker.com/linux/centos/7/ K8s version: 1.15 Containerd version: 1.2.10

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 22 (12 by maintainers)

Most upvoted comments

This has been updated for 1.4 on CRI and we have validated this.

Please update update and you should be good to go with selinux support.

+1
crosbymichael on Oct 2, 2020

I’ve opened https://github.com/containers/container-selinux/pull/98 to address a policy gap on Fedora 32 (which likely address the problems you are seeing here for 1.4 series containerd as it resolves 10 of the 11 outstanding failures when running the critest suite with selinux=enforcing). My next task is to back-port this to CentOs 7.

Additionally, the 1.3 series branch of containerd does not yet have all of the selinux-related code backported to it. We have worked on back-porting the selinux bits from master to a 1.3 series branch at rancher/containerd@k3s-release/1.3 with the bulk of the changes in rancher/cri@k3s-release/1.3. My hope is to work on upstreaming these back to the containerd project after I’ve sorted out and validated our 1.3 series fork with the updated policy.

+1
dweomer on Aug 5, 2020
Read more comments on GitHub
← containerd: run containerd on arm64, get error undefined symbol: seccomp_api_get
containerd: shim v2 hangs on reboot/shutdown →