[BUG] restorecon seems to relabel files unnecessarily under /var/lib/kubelet/pods/<id>/volumes/kubernetes.io~projected/ and secret

[maage]

What happened?

I ran restorecon -nvR /var and notices it would have modified fcontext of some kube files that I think have reasonable fcontexts and that new fcontexts would not be as reasonable.

What did you expect to happen?

Restorecon should not relabel any files if there is no misconfiguration.

How to reproduce it (as minimally and precisely as possible)?

1. build microshift in Fedora 41
2. install microshift in Fedora 41
3. start microshift
4. run sudo restorecon -nvR -e /var/lib/mock -e /var/cache/mock /var | tee restorecon.txt

Anything else we need to know?

I think this should be tested. Start microshift. Run restorecon against any of the files where microshift data is, and there should note be any changes. This seems to be too limited,

microshift/test/resources/selinux.py

Lines 15 to 32 in cf7ae1b

	CONTEXT_CHECK_MAP = {
	"system_u:object_r:container_var_lib_t:s0": [
	"/var/lib/microshift",
	"/var/lib/microshift-backups",
	],
	"system_u:object_r:container_log_t:s0": [
	"/var/log/kube-apiserver",
	],
	"system_u:object_r:kubelet_exec_t:s0": [
	"/usr/bin/microshift",
	"/usr/bin/microshift-etcd",
	],
	"system_u:object_r:kubernetes_file_t:s0": [
	"/etc/microshift",
	"/etc/microshift/manifests",
	"/etc/microshift/manifests.d",
	],
	}

• /var/lib/kubelet
• /var/lib/crio
• /var/lib/openvswitch
• /var/lib/cni
• /var/log/pods
• /var/log/ovn-kubernetes
• /var/log/openvswitch
• /var/log/crio
• /var/log/ovn

And this should employ restorecon, as 'ls -Zd` does not catch issues deep in directory structure.

microshift/test/resources/selinux.py

Lines 240 to 251 in cf7ae1b

	def run_fcontext_check() -> List[str]:
	ls_cmd = "ls -Zd"
	incorrect_fcontext = []
	for context, file_paths in CONTEXT_CHECK_MAP.items():
	for file_path in file_paths:
	stdout, rc = remote_sudo_rc(f"{ls_cmd} {file_path} | awk '{{print $1 }}'")
	BuiltIn().should_not_be_empty(stdout)
	BuiltIn().should_be_equal_as_integers(rc, 0)
	if context_do_not_match(stdout, context):
	incorrect_fcontext.append(f"expected {file_path} to have context of ({context}) but got ({stdout})")
	return incorrect_fcontext

Environment

• MicroShift version (use microshift version):

MicroShift Version: 4.18.0
Base OCP Version: 4.18.0-0.nightly-2025-01-09-012852

• Hardware configuration:
• OS (e.g: cat /etc/os-release):

NAME="Fedora Linux"
VERSION="41 (Workstation Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=41
VERSION_CODENAME=""
PLATFORM_ID="platform:f41"
PRETTY_NAME="Fedora Linux 41 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:41"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f41/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=41
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=41
SUPPORT_END=2025-12-15
VARIANT="Workstation Edition"
VARIANT_ID=workstation

• Kernel (e.g. uname -a):

Linux test 6.12.8-200.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jan 2 19:26:03 UTC 2025 x86_64 GNU/Linux

• Others:

container-selinux-2.234.2-1.fc41.noarch
selinux-policy-targeted-0:41.28-1.fc41.noarch

Relevant logs

Would relabel /var/lib/kubelet/pods/4f9ad0d6-9a40-44b9-af85-a62af7e9ebe1/volumes/kubernetes.io~projected/kube-api-access-285xq from system_u:object_r:tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
Would relabel /var/lib/kubelet/pods/4f9ad0d6-9a40-44b9-af85-a62af7e9ebe1/volumes/kubernetes.io~projected/kube-api-access-285xq/..data from system_u:object_r:container_runtime_tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
...
Would relabel /var/lib/kubelet/pods/0802e07b-5854-4c18-ac85-4c9d579a7646/volumes/kubernetes.io~secret/metrics-cert from system_u:object_r:tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
Would relabel /var/lib/kubelet/pods/0802e07b-5854-4c18-ac85-4c9d579a7646/volumes/kubernetes.io~secret/metrics-cert/..2025_01_18_13_42_34.2656841619 from system_u:object_r:container_runtime_tmpfs_t:s0 to system_u:object_r:container_var_lib_t:s0
...

[pacevedom]

/assign @copejon

[copejon]

Hi @maage, thank you for the contribution. Was the device rebooted after microshift was installed? This is a necessary step (or could be shortcut as you've seen with restorecon). Without rebooting, none of the installed labels are applied, hence the long list of Would relabel lines.

The policies microshift defines pertain only to microshift data. The container runtime policies are dictated by container-selinux, thus I'm extremely hesitant to override them without very good cause.

[copejon]

Closing due to lack of response from the author. Please feel free to start a discussion regarding the topic on the community slack channel https://microshift.slack.com