Default selinux option causes container startup failure on CoreOS 1353.7.0

[mbroome]

Using CoreOS 1353.7.0 and kubernetes 1.6.4 on a fresh install, the default weave-kube addon fails to start the container when spc_t is set for selinux options. Selinux is set to permissive. Other containers running on the same host work properly.

Using the default weave-kube deployment via:

kubectl apply -f https://git.io/weave-kube-1.6

The weave container goes into a crash loop with the following info from the kubernetes event log:

2017-05-25 09:55:53 -0400 EDT   2017-05-25 09:55:53 -0400 EDT   1         weave-net-xxbsv   Pod                 Warning   FailedSync   kubelet, ip-172-17-115-69.ec2.internal   
Error syncing pod, skipping: failed to "CreatePodSandbox" for "weave-net-xxbsv_kube-system(db406ff5-4151-11e7-aa4c-0a5efcdb0a60)" with CreatePodSandboxError: 
"CreatePodSandbox for pod \"weave-net-xxbsv_kube-system(db406ff5-4151-11e7-aa4c-0a5efcdb0a60)\" failed: rpc error: code = 2 desc = failed to start sandbox container for pod \"weave-net-xxbsv\": 
Error response from daemon: {\"message\":\"invalid header field value \\\"oci runtime error: container_linux.go:247: starting container process caused \\\\\\\"process_linux.go:359: container init caused \\\\\\\\\\\\\\\"write /proc/self/task/5543/attr/exec: invalid argument\\\\\\\\\\\\\\\"\\\\\\\"\\\\n\\\"\"}"

If I manually modify the deployment set and comment out the spc_t option, the container comes up clean:

      securityContext:
        seLinuxOptions:
          #type: spc_t

[bboreham]

The error message "write /proc/self/task/5543/attr/exec: invalid argument" is coming from runc (part of Docker).
Similar report: kubernetes/kubeadm#269