sandbox, ctr: SELinux fixes

server: fix selinux labels for pod and containers

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: set selinux labels from request, not defaults

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

container_create: use sandbox's selinux if container's nil

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

sandbox: correctly init selinux labels

First, we weren't correctly initializing selinux labels. If any of
(level, user, role, type) was missing from kube selinux options, we
were erroring out. This is wrong as kube sends just `level=s0`
sometimes and docker itself allows `--security-opt label=level:s0`.
This patch directly initializes selinux labels, correctly, and adds a
test to verify it.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

test: testdata: use container_runtime_t selinux type

RHEL SELinux policy doesn't have `container_t` type but we're using it
in our fixtures. That means Fedora integration tests pass because
`container_t` is in Fedora's container policy but RHEL is broken.
Fix it by using `container_runtime_t` which is aliased in Fedora policy
to `container_t`.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

test/selinux.bats

@@ -0,0 +1,26 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function teardown() {
+	cleanup_test
+}
+
+@test "ctr termination reason Completed" {
+	start_crio
+	run crioctl pod run --config "$TESTDATA"/sandbox_config_selinux.json
+	echo "$output"
+	[ "$status" -eq 0 ]
+	pod_id="$output"
+	run crioctl ctr create --config "$TESTDATA"/container_redis.json --pod "$pod_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+	ctr_id="$output"
+	run crioctl ctr start --id "$ctr_id"
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	cleanup_ctrs
+	cleanup_pods
+	stop_crio
+}

test/testdata/container_config.json

@@ -51,6 +51,12 @@
 		},
 		"security_context": {
 			"readonly_rootfs": false,
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "svirt_lxc_net_t",
+				"level": "s0:c4,c5"
+			},
 			"capabilities": {
 				"add_capabilities": [
 					"setuid",
@@ -58,12 +64,6 @@
 				],
 				"drop_capabilities": [
 				]
-			},
-			"selinux_options": {
-				"user": "system_u",
-				"role": "system_r",
-				"type": "container_t",
-				"level": "s0:c4,c5"
 			}
 		}
 	}

test/testdata/container_config_by_imageid.json

@@ -62,7 +62,7 @@
 			"selinux_options": {
 				"user": "system_u",
 				"role": "system_r",
-				"type": "container_t",
+				"type": "svirt_lxc_net_t",
 				"level": "s0:c4,c5"
 			}
 		}

test/testdata/container_config_hostport.json

@@ -64,7 +64,7 @@
 			"selinux_options": {
 				"user": "system_u",
 				"role": "system_r",
-				"type": "container_t",
+				"type": "svirt_lxc_net_t",
 				"level": "s0:c4,c5"
 			}
 		}

test/testdata/container_config_logging.json

@@ -64,7 +64,7 @@
 			"selinux_options": {
 				"user": "system_u",
 				"role": "system_r",
-				"type": "container_t",
+				"type": "svirt_lxc_net_t",
 				"level": "s0:c4,c5"
 			}
 		}

test/testdata/container_config_resolvconf.json

@@ -64,7 +64,7 @@
 			"selinux_options": {
 				"user": "system_u",
 				"role": "system_r",
-				"type": "container_t",
+				"type": "svirt_lxc_net_t",
 				"level": "s0:c4,c5"
 			}
 		}

test/testdata/container_config_resolvconf_ro.json

@@ -64,7 +64,7 @@
 			"selinux_options": {
 				"user": "system_u",
 				"role": "system_r",
-				"type": "container_t",
+				"type": "svirt_lxc_net_t",
 				"level": "s0:c4,c5"
 			}
 		}

test/testdata/container_config_seccomp.json

@@ -65,7 +65,7 @@
 				"user": "system_u",
 				"role": "system_r",
 				"type": "svirt_lxc_net_t",
-				"level": "s0:c4-c5"
+				"level": "s0:c4,c5"
 			}
 		}
 	}

test/testdata/sandbox_config.json

@@ -39,6 +39,12 @@
 				"host_network": false,
 				"host_pid": false,
 				"host_ipc": false
+			},
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "svirt_lxc_net_t",
+				"level": "s0:c4,c5"
 			}
 		}
 	}

test/testdata/sandbox_config_seccomp.json

@@ -41,13 +41,13 @@
 				"host_network": false,
 				"host_pid": false,
 				"host_ipc": false
+			},
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "svirt_lxc_net_t",
+				"level": "s0:c4,c5"
 			}
-		},
-		"selinux_options": {
-			"user": "system_u",
-			"role": "system_r",
-			"type": "container_t",
-			"level": "s0:c1,c2"
 		}
 	}
 }

test/testdata/sandbox_config_selinux.json

@@ -0,0 +1,48 @@
+{
+	"metadata": {
+		"name": "podsandbox1",
+		"uid": "redhat-test-crio",
+		"namespace": "redhat.test.crio",
+		"attempt": 1
+	},
+	"hostname": "crioctl_host",
+	"log_directory": "",
+	"dns_config": {
+		"searches": [
+			"8.8.8.8"
+		]
+	},
+	"port_mappings": [],
+	"resources": {
+		"cpu": {
+			"limits": 3,
+			"requests": 2
+		},
+		"memory": {
+			"limits": 50000000,
+			"requests": 2000000
+		}
+	},
+	"labels": {
+		"group": "test"
+	},
+	"annotations": {
+		"owner": "hmeng",
+		"security.alpha.kubernetes.io/sysctls": "kernel.shm_rmid_forced=1,net.ipv4.ip_local_port_range=1024 65000",
+		"security.alpha.kubernetes.io/unsafe-sysctls": "kernel.msgmax=8192" ,
+		"security.alpha.kubernetes.io/seccomp/pod": "unconfined"
+	},
+	"linux": {
+		"cgroup_parent": "/Burstable/pod_123-456",
+		"security_context": {
+			"namespace_options": {
+				"host_network": false,
+				"host_pid": false,
+				"host_ipc": false
+			},
+			"selinux_options": {
+				"level": "s0"
+			}
+		}
+	}
+}