Update selinux label from container_file_t to nfs_t

hasan4791 · hasan4791 · commit 81a49040f623 · 2023-10-30T17:03:58.000+05:30
When using vz &amp; virtiofs, initially container_file_t selinux label
was considered which works perfectly for container work loads
but it might break for other work loads if the process is running with
different label. Also these are the remote mounts from the host machine,
so keeping the label as nfs_t fits right. Package container-selinux by
default adds rules for nfs_t context which allows container workloads to work as well.

Signed-off-by: T K Chandra Hasan &lt;t.k.chandra.hasan@ibm.com&gt;
diff --git a/hack/test-selinux.sh b/hack/test-selinux.sh
@@ -12,7 +12,16 @@ if [ "$#" -ne 1 ]; then
 fi
 
 NAME="$1"
-expected="context=system_u:object_r:container_file_t:s0"
+##########################################################################################
+## When using vz & virtiofs, initially container_file_t selinux label
+## was considered which works perfectly for container work loads
+## but it might break for other work loads if the process is running with
+## different label. Also these are the remote mounts from the host machine,
+## so keeping the label as nfs_t fits right. Package container-selinux by
+## default adds rules for nfs_t context which allows container workloads to work as well.
+## https://github.com/lima-vm/lima/pull/1965
+##########################################################################################
+expected="context=system_u:object_r:nfs_t:s0"
 #Skip Rosetta checks for x86 GHA mac runners
 if [[ "$(uname)" == "Darwin" && "$(arch)" == "arm64" ]]; then
 	INFO "Testing secontext is set for rosetta mounts"
@@ -38,7 +47,7 @@ if [[ $got != *$expected* ]]; then
 	exit 1
 fi
 INFO "Checking in fstab file"
-expected='context="system_u:object_r:container_file_t:s0"'
+expected='context="system_u:object_r:nfs_t:s0"'
 got=$(limactl shell "$NAME" cat /etc/fstab | grep "$HOME" | awk '{print $4}')
 INFO "secontext ${HOME}: expected=${expected}, got=${got}"
 if [[ $got != *$expected* ]]; then
diff --git a/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh b/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh
@@ -14,7 +14,16 @@ if [ -d /sys/fs/selinux ]; then
 	for line in $(grep -n virtiofs </etc/fstab | cut -d':' -f1); do
 		OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
 		if [[ ${OPTIONS} != *"context"* ]]; then
-			sed -i -e "$line""s/comment=cloudconfig/comment=cloudconfig,context=\"system_u:object_r:container_file_t:s0\"/g" /etc/fstab
+			##########################################################################################
+			## When using vz & virtiofs, initially container_file_t selinux label
+			## was considered which works perfectly for container work loads
+			## but it might break for other work loads if the process is running with
+			## different label. Also these are the remote mounts from the host machine,
+			## so keeping the label as nfs_t fits right. Package container-selinux by
+			## default adds rules for nfs_t context which allows container workloads to work as well.
+			## https://github.com/lima-vm/lima/pull/1965
+			##########################################################################################
+			sed -i -e "$line""s/comment=cloudconfig/comment=cloudconfig,context=\"system_u:object_r:nfs_t:s0\"/g" /etc/fstab
 			TAG=$(awk -v line="$line" 'NR==line {print $1}' /etc/fstab)
 			MOUNT_POINT=$(awk -v line="$line" 'NR==line {print $2}' /etc/fstab)
 			OPTIONS=$(awk -v line="$line" 'NR==line {print $4}' /etc/fstab)
diff --git a/pkg/cidata/cidata.TEMPLATE.d/boot/05-rosetta-volume.sh b/pkg/cidata/cidata.TEMPLATE.d/boot/05-rosetta-volume.sh
@@ -14,7 +14,16 @@ mkdir -p /mnt/lima-rosetta
 
 #Check selinux is enabled by kernel
 if [ -d /sys/fs/selinux ]; then
-	mount -t virtiofs vz-rosetta /mnt/lima-rosetta -o context="system_u:object_r:container_file_t:s0"
+	##########################################################################################
+	## When using vz & virtiofs, initially container_file_t selinux label
+	## was considered which works perfectly for container work loads
+	## but it might break for other work loads if the process is running with
+	## different label. Also these are the remote mounts from the host machine,
+	## so keeping the label as nfs_t fits right. Package container-selinux by
+	## default adds rules for nfs_t context which allows container workloads to work as well.
+	## https://github.com/lima-vm/lima/pull/1965
+	##########################################################################################
+	mount -t virtiofs vz-rosetta /mnt/lima-rosetta -o context="system_u:object_r:nfs_t:s0"
 else
 	mount -t virtiofs vz-rosetta /mnt/lima-rosetta
 fi
