Merge pull request #2417 from jsafrane/4.20-selinux-e2e-driver

openshift-merge-bot[bot] · web-flow · commit 1b675e10c10c · 2025-09-03T12:56:38.000Z
OCPBUGS-60946: UPSTREAM: 133425: Fix SELinux label comparison
diff --git a/openshift-hack/e2e/annotate/generated/zz_generated.annotations.go b/openshift-hack/e2e/annotate/generated/zz_generated.annotations.go
diff --git a/pkg/controller/volume/selinuxwarning/cache/volumecache_test.go b/pkg/controller/volume/selinuxwarning/cache/volumecache_test.go
@@ -345,7 +345,7 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 			expectedConflicts: []Conflict{},
 		},
 		{
-			name:        "existing volume in a new pod with existing policy and new incomparable label (missing categories)",
+			name:        "existing volume in a new pod with existing policy and new comparable label (missing categories)",
 			initialPods: existingPods,
 			podToAdd: podWithVolume{
 				podNamespace: "testns",
@@ -354,7 +354,16 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 				label:        "system_u:system_r:label7",
 				changePolicy: v1.SELinuxChangePolicyMountOption,
 			},
-			expectedConflicts: []Conflict{},
+			expectedConflicts: []Conflict{
+				{
+					PropertyName:       "SELinuxLabel",
+					EventReason:        "SELinuxLabelConflict",
+					Pod:                cache.ObjectName{Namespace: "testns", Name: "testpod"},
+					PropertyValue:      "system_u:system_r:label7",
+					OtherPod:           cache.ObjectName{Namespace: "ns7", Name: "pod7"},
+					OtherPropertyValue: "::label7:c0,c1",
+				},
+			},
 		},
 		{
 			name:        "existing volume in a new pod with existing policy and new incomparable label (missing everything)",
@@ -368,6 +377,27 @@ func TestVolumeCache_AddVolumeSendConflicts(t *testing.T) {
 			},
 			expectedConflicts: []Conflict{},
 		},
+		{
+			name:        "existing volume in a new pod with existing policy and new comparable label (missing everything but categories)",
+			initialPods: existingPods,
+			podToAdd: podWithVolume{
+				podNamespace: "testns",
+				podName:      "testpod",
+				volumeName:   "vol8",
+				label:        "system_u:system_r:label8:c0,c1",
+				changePolicy: v1.SELinuxChangePolicyMountOption,
+			},
+			expectedConflicts: []Conflict{
+				{
+					PropertyName:       "SELinuxLabel",
+					EventReason:        "SELinuxLabelConflict",
+					Pod:                cache.ObjectName{Namespace: "testns", Name: "testpod"},
+					PropertyValue:      "system_u:system_r:label8:c0,c1",
+					OtherPod:           cache.ObjectName{Namespace: "ns8", Name: "pod8"},
+					OtherPropertyValue: "",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go b/pkg/controller/volume/selinuxwarning/translator/selinux_translator.go
@@ -60,12 +60,15 @@ func (c *ControllerSELinuxTranslator) SELinuxOptionsToFileLabel(opts *v1.SELinux
 // Conflicts returns true if two SELinux labels conflict.
 // These labels must be generated by SELinuxOptionsToFileLabel above
 // (the function expects strict nr. of elements in the labels).
-// Since this translator cannot default missing components,
-// the missing components are treated as incomparable and they do not
-// conflict with anything.
+// Since this translator cannot default missing label components from the operating system,
+// the first three components can be empty. In this case, the empty components don't lead to a
+// conflict when compared to a real SELinux label and this function returns false (as no
+// conflict can be detected).
+// The last component (level) is always compared, as it is not defaulted by the operating system.
 // Example: "system_u:system_r:container_t:s0:c1,c2" *does not* conflict with ":::s0:c1,c2",
-// because the node that will run such a Pod may expand "":::s0:c1,c2" to "system_u:system_r:container_t:s0:c1,c2".
-// However, "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99".
+// because the node that will run such a Pod may expand ":::s0:c1,c2" to "system_u:system_r:container_t:s0:c1,c2".
+// However: "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99".
+// And ":::s0:c1,c2" *does* conflict with "" or ":::", because it's never defaulted by the OS.
 func (c *ControllerSELinuxTranslator) Conflicts(labelA, labelB string) bool {
 	partsA := strings.SplitN(labelA, ":", 4)
 	partsB := strings.SplitN(labelB, ":", 4)
@@ -82,16 +85,20 @@ func (c *ControllerSELinuxTranslator) Conflicts(labelA, labelB string) bool {
 		if partsA[i] == partsB[i] {
 			continue
 		}
+		if i == 3 {
+			// The last component must always match
+			return true
+		}
+		// i<3, empty parts are incomparable
 		if partsA[i] == "" {
-			// incomparable part, no conflict
 			continue
 		}
 		if partsB[i] == "" {
-			// incomparable part, no conflict
 			continue
 		}
 		// Parts are not equal and neither of them is "" -> conflict
 		return true
 	}
+
 	return false
 }
diff --git a/pkg/controller/volume/selinuxwarning/translator/selinux_translator_test.go b/pkg/controller/volume/selinuxwarning/translator/selinux_translator_test.go
@@ -93,26 +93,32 @@ func TestLabelsConflict(t *testing.T) {
 			conflict: false,
 		},
 		{
-			name:     "empty string  don't conflict with anything",
+			name:     "empty strings don't conflict with anything except the level",
 			a:        "",
 			b:        "system_u:system_r:container_t",
 			conflict: false,
 		},
+		{
+			name:     "empty string conflicts with level",
+			a:        "",
+			b:        "system_u:system_r:container_t:s0:c1,c2",
+			conflict: true,
+		},
 		{
 			name:     "empty parts don't conflict with anything",
-			a:        ":::::::::::::",
+			a:        ":::",
 			b:        "system_u:system_r:container_t",
 			conflict: false,
 		},
 		{
 			name:     "different lengths don't conflict if the common parts are the same",
-			a:        "system_u:system_r:container_t:c0,c2",
-			b:        "system_u:system_r:container_t",
+			a:        "system_u:system_r:container_t:",
+			b:        "system_u:system_r",
 			conflict: false,
 		},
 		{
 			name:     "different lengths conflict if the common parts differ",
-			a:        "system_u:system_r:conflict_t:c0,c2",
+			a:        "system_u:system_r:conflict_t:",
 			b:        "system_u:system_r:container_t",
 			conflict: true,
 		},
@@ -125,9 +131,15 @@ func TestLabelsConflict(t *testing.T) {
 		{
 			name:     "non-conflicting empty parts",
 			a:        "system_u::container_t",
-			b:        ":system_r::c0,c2",
+			b:        ":system_r::",
 			conflict: false,
 		},
+		{
+			name:     "empty level conflicts with non-empty level",
+			a:        ":::s0:c1,c2",
+			b:        "",
+			conflict: true,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
diff --git a/test/e2e/storage/csimock/base.go b/test/e2e/storage/csimock/base.go
@@ -463,7 +463,7 @@ func (m *mockDriverSetup) createPodWithFSGroup(ctx context.Context, fsGroup *int
 	return class, claim, pod
 }
 
-func (m *mockDriverSetup) createPodWithSELinux(ctx context.Context, accessModes []v1.PersistentVolumeAccessMode, mountOptions []string, seLinuxOpts *v1.SELinuxOptions, policy *v1.PodSELinuxChangePolicy) (*storagev1.StorageClass, *v1.PersistentVolumeClaim, *v1.Pod) {
+func (m *mockDriverSetup) createPodWithSELinux(ctx context.Context, accessModes []v1.PersistentVolumeAccessMode, mountOptions []string, seLinuxOpts *v1.SELinuxOptions, policy *v1.PodSELinuxChangePolicy, privileged bool) (*storagev1.StorageClass, *v1.PersistentVolumeClaim, *v1.Pod) {
 	ginkgo.By("Creating pod with SELinux context")
 	f := m.f
 	nodeSelection := m.config.ClientNodeSelection
@@ -480,7 +480,7 @@ func (m *mockDriverSetup) createPodWithSELinux(ctx context.Context, accessModes
 		ReclaimPolicy:        m.tp.reclaimPolicy,
 	}
 	class, claim := createClaim(ctx, f.ClientSet, scTest, nodeSelection, m.tp.scName, f.Namespace.Name, accessModes)
-	pod, err := startPausePodWithSELinuxOptions(f.ClientSet, claim, nodeSelection, f.Namespace.Name, seLinuxOpts, policy)
+	pod, err := startPausePodWithSELinuxOptions(f.ClientSet, claim, nodeSelection, f.Namespace.Name, seLinuxOpts, policy, privileged)
 	framework.ExpectNoError(err, "Failed to create pause pod with SELinux context %s: %v", seLinuxOpts, err)
 
 	if class != nil {
@@ -802,7 +802,7 @@ func startBusyBoxPodWithVolumeSource(cs clientset.Interface, volumeSource v1.Vol
 	return cs.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{})
 }
 
-func startPausePodWithSELinuxOptions(cs clientset.Interface, pvc *v1.PersistentVolumeClaim, node e2epod.NodeSelection, ns string, seLinuxOpts *v1.SELinuxOptions, policy *v1.PodSELinuxChangePolicy) (*v1.Pod, error) {
+func startPausePodWithSELinuxOptions(cs clientset.Interface, pvc *v1.PersistentVolumeClaim, node e2epod.NodeSelection, ns string, seLinuxOpts *v1.SELinuxOptions, policy *v1.PodSELinuxChangePolicy, privileged bool) (*v1.Pod, error) {
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "pvc-volume-tester-",
@@ -816,6 +816,9 @@ func startPausePodWithSELinuxOptions(cs clientset.Interface, pvc *v1.PersistentV
 				{
 					Name:  "volume-tester",
 					Image: imageutils.GetE2EImage(imageutils.Pause),
+					SecurityContext: &v1.SecurityContext{
+						Privileged: &privileged,
+					},
 					VolumeMounts: []v1.VolumeMount{
 						{
 							Name:      "my-volume",
diff --git a/test/e2e/storage/csimock/csi_selinux_mount.go b/test/e2e/storage/csimock/csi_selinux_mount.go
