SELinux relabel skip for Super Privileged containers (`spc_t`)

# SELinux relabel skip for Super Privileged containers (`spc_t`) ## Setup - Start with a cluster that contains https://github.com/cri-o/cri-o/pull/5386 or latest nightly if the PR got merged into `main`. - Deploy OCS: - Create a OCP cluster that has worker nodes of type m5.2xlarge - Once cluster is ready, install OCS operator from operator hub. - Once operator is installed, it will offer to create `StorageCluster` object. - Create `StorageCluster` object and make sure to install 0.5TB size cluster. - Once `StorageCluster` is available that means, OCS is ready to be used. - Create a PVC for the pod Co access the volume: ```yaml kind: PersistentVolumeClaim apiVersion: v1 metadata: name: myclaim spec: accessModes: - ReadWriteMany storageClassName: ocs-storagecluster-cephfs resources: requests: storage: 15Gi ``` - Finally, create the deployment: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: sandbox spec: replicas: 1 selector: matchLabels: run: sandbox template: metadata: labels: run: sandbox spec: nodeSelector: kubernetes.io/hostname: $NODE containers: - name: sandbox image: gcr.io/google_containers/busybox command: - "/bin/sh" - "-c" - "while true; do date; echo `date` >>/mnt/test/date; sleep 5; done" volumeMounts: - name: vol mountPath: /mnt/test securityContext: seLinuxOptions: type: "spc_t" volumes: - name: vol persistentVolumeClaim: claimName: myclaim ``` Where $NODE is the `nodename` you want to put it on. This node will be useful later. **Note: It is also possible to change the `seLinuxOptions` for the whole Pod by using the pods `securityContext` rather than specifying it on the container level.** ## Validation steps: - Now that we have a setup pod, create a file inside it: ``` oc rsh $(oc get pods | grep sandbox | awk '{ printf $1 }') touch /mnt/test/hello ``` - Run `oc debug node/$NODE` and `chroot /host` - Find the mount point on the host: ``` mount=$(cat $(runc list | grep $(crictl ps -a | grep sandbox | awk '{ printf $1 }' ) | awk '{ printf $4 }' )/config.json | jq -r '.mounts[] | select(.destination=="/mnt/test") | .source') ``` - Check the SELinux label of our file: ``` ls -lZ $mount ``` - `chcon` the file: ``` chcon -t unlabeled_t $mount/hello ``` - Recreate the pod ``` oc delete deployment/sandbox oc create -f $deployment.yaml ``` - Wait a moment for the pod to be created. - Verify the label is still `unlabeled_t` with `ls -lZ $mount` again. - Alternatively, one can check the CRI-O logs for the line: ``` Skipping relabel for … because of super privileged container ``` If it says `unlabeled_t`, then the relabel was not performed, and we have successfully avoided the recursive relabel! :)