Add SELinux Support for CRI

[crosbymichael]

This is a carry of #1246.

We are splitting up the work and I will be carrying this PR to merge.

[crosbymichael]

I went ahead and squashed this as it had many WIP commits and unsigned commits from the previous PR causing CI to fail.

[mikebrow]

/test pull-cri-containerd-node-e2e

[mikebrow]

e2e bucket timed out for no obvious reason restarting

[crosbymichael]

I'm not getting good info on why this is timing out....

[crosbymichael]

/test pull-cri-containerd-node-e2e

it looks like a normal timeout now for a single test, going to rerun

[crosbymichael]

victory!

[crosbymichael]

Tested labeling for volumes:

system_u:system_r:container_t:s0:c192,c450 root 9226 0.0  0.1 10636 5168 ?       Ss   11:57   0:00 nginx: master process nginx -g daemon off;
system_u:system_r:container_t:s0:c192,c450 101 9240 0.0  0.0 11100 2552 ?        S    11:57   0:00 nginx: worker process

process ^^

drwxr-xr-x. 2 root root unconfined_u:object_r:mnt_t:s0                  6 May 26 11:57 mnt
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0:c192,c450 6 May 26 11:57 test

mount ^^

[crosbymichael]

I think we could merge this and then follow up on adding reference counting to the pod level and off of the container.

[mxpv]

LGTM

[crosbymichael]

Updated, please take another look

[dmcgowan]

LGTM

[dmcgowan]

We should try to decouple this a little bit, maybe having the label store could be registered through the plugin system in the future.

[dmcgowan]

In a follow up or maybe post merge back into containerd

[crosbymichael]

Ya, the store is what I’m currently working on and will be putting a PR up shortly. Michael Crosby

…

On May 26, 2020, at 6:53 PM, Derek McGowan ***@***.***> wrote:  Merged #1487 into master. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[mikebrow]

LGTM
thanks for taking this on