Skip to content

Commit 5bba6b1

Browse files
MirzWeissMirzWeiss
committed
BZ:2040457 - Updated known issue in RN with additional information.
1 parent 621bcb9 commit 5bba6b1

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

sandboxed_containers/sandboxed-containers-4.9-release-notes.adoc

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,13 @@ You can now install the {sandboxed-containers-operator} in a disconnected enviro
4747
[id="sandboxed-containers-1-1-known-issues"]
4848
== Known issues
4949

50-
* If you are using {sandboxed-containers-first}, you cannot use the `hostPath` volume in an {product-title} cluster to mount a file or directory from the host node’s file system into your pod. As an alternative, you can use local persistent volumes. See xref:../storage/persistent_storage/persistent-storage-local.adoc[Persistent storage using local volumes] for more information. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1904609[*BZ#1904609*])
50+
* If you are using {sandboxed-containers-first}, you might receive SELinux denials accessing files or directories mounted from the `hostPath` volume in an {product-title} cluster. These denials can occur even when running privileged sandboxed containers, since privileged sandboxed containers do not disable SELinux checks.
51+
+
52+
Following SELinux policy on the host guarantees full isolation of the host file system from the sandboxed workload by default, and provides stronger protection against potential security flaws in `virtiofsd` or QEMU.
53+
+
54+
If the mounted files or directories do not have specific SELinux requirements on the host, you can use local persistent volumes as an alternative. Files are automatically relabeled to `container_file_t`, following SELinux policy for container runtimes. See xref:../storage/persistent_storage/persistent-storage-local.adoc[Persistent storage using local volumes] for more information.
55+
+
56+
Automatic relabeling is not an option when mounted files or directories are expected to have specific SELinux labels on the host. Instead, you can set custom SELinux rules on the host in order to allow virtiofsd to access these specific labels. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1904609[*BZ#1904609*])
5157

5258
[id="sandboxed-containers-1-1-asynchronous-errata-updates"]
5359
== Asynchronous errata updates

0 commit comments

Comments
 (0)