Merge pull request #1965 from hasan4791/fix-selabel

Update selinux label from container_file_t to nfs_t

Author: AkihiroSuda

hack/test-selinux.sh

@@ -12,7 +12,16 @@ if [ "$#" -ne 1 ]; then
 fi
 
 NAME="$1"
-expected="context=system_u:object_r:container_file_t:s0"
+##########################################################################################
+## When using vz & virtiofs, initially container_file_t selinux label
+## was considered which works perfectly for container work loads
+## but it might break for other work loads if the process is running with
+## different label. Also these are the remote mounts from the host machine,
+## so keeping the label as nfs_t fits right. Package container-selinux by
+## default adds rules for nfs_t context which allows container workloads to work as well.
+## https://github.com/lima-vm/lima/pull/1965
+##########################################################################################
+expected="context=system_u:object_r:nfs_t:s0"
 #Skip Rosetta checks for x86 GHA mac runners
 if [[ "$(uname)" == "Darwin" && "$(arch)" == "arm64" ]]; then
 	INFO "Testing secontext is set for rosetta mounts"
@@ -38,7 +47,7 @@ if [[ $got != *$expected* ]]; then
 	exit 1
 fi
 INFO "Checking in fstab file"
-expected='context="system_u:object_r:container_file_t:s0"'
+expected='context="system_u:object_r:nfs_t:s0"'
 got=$(limactl shell "$NAME" cat /etc/fstab | grep "$HOME" | awk '{print $4}')
 INFO "secontext ${HOME}: expected=${expected}, got=${got}"
 if [[ $got != *$expected* ]]; then

pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh

@@ -14,7 +14,16 @@ if [ -d /sys/fs/selinux ]; then
 	for line in $(grep -n virtiofs </etc/fstab | cut -d':' -f1); do
 		OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
 		if [[ ${OPTIONS} != *"context"* ]]; then
-			sed -i -e "$line""s/comment=cloudconfig/comment=cloudconfig,context=\"system_u:object_r:container_file_t:s0\"/g" /etc/fstab
+			##########################################################################################
+			## When using vz & virtiofs, initially container_file_t selinux label
+			## was considered which works perfectly for container work loads
+			## but it might break for other work loads if the process is running with
+			## different label. Also these are the remote mounts from the host machine,
+			## so keeping the label as nfs_t fits right. Package container-selinux by
+			## default adds rules for nfs_t context which allows container workloads to work as well.
+			## https://github.com/lima-vm/lima/pull/1965
+			##########################################################################################
+			sed -i -e "$line""s/comment=cloudconfig/comment=cloudconfig,context=\"system_u:object_r:nfs_t:s0\"/g" /etc/fstab
 			TAG=$(awk -v line="$line" 'NR==line {print $1}' /etc/fstab)
 			MOUNT_POINT=$(awk -v line="$line" 'NR==line {print $2}' /etc/fstab)
 			OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)

pkg/cidata/cidata.TEMPLATE.d/boot/05-rosetta-volume.sh

@@ -14,7 +14,16 @@ mkdir -p /mnt/lima-rosetta
 
 #Check selinux is enabled by kernel
 if [ -d /sys/fs/selinux ]; then
-	mount -t virtiofs vz-rosetta /mnt/lima-rosetta -o context="system_u:object_r:container_file_t:s0"
+	##########################################################################################
+	## When using vz & virtiofs, initially container_file_t selinux label
+	## was considered which works perfectly for container work loads
+	## but it might break for other work loads if the process is running with
+	## different label. Also these are the remote mounts from the host machine,
+	## so keeping the label as nfs_t fits right. Package container-selinux by
+	## default adds rules for nfs_t context which allows container workloads to work as well.
+	## https://github.com/lima-vm/lima/pull/1965
+	##########################################################################################
+	mount -t virtiofs vz-rosetta /mnt/lima-rosetta -o context="system_u:object_r:nfs_t:s0"
 else
 	mount -t virtiofs vz-rosetta /mnt/lima-rosetta
 fi