Merge pull request #113406 from jsafrane/fix-selinux-check-of-mounted

Fix SELinux check of mounted volumes

pkg/kubelet/volumemanager/cache/actual_state_of_world.go

@@ -817,15 +817,11 @@ func (asw *actualStateOfWorld) PodExistsInVolume(podName volumetypes.UniquePodNa
 		return false, "", newVolumeNotAttachedError(volumeName)
 	}
 
+	// The volume exists, check its SELinux context mount option
 	if utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
-		if volumeObj.seLinuxMountContext != nil {
+		if volumeObj.seLinuxMountContext != nil && *volumeObj.seLinuxMountContext != seLinuxLabel {
-			// The volume is mounted, check its SELinux context mount option
+			fullErr := newSELinuxMountMismatchError(volumeName)
-			if *volumeObj.seLinuxMountContext != seLinuxLabel {
+			return false, volumeObj.devicePath, fullErr
-				fullErr := newSELinuxMountMismatchError(volumeName)
-				if util.VolumeSupportsSELinuxMount(volumeObj.spec) {
-					return false, volumeObj.devicePath, fullErr
-				}
-			}
 		}
 	}
 

pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go

@@ -892,7 +892,8 @@ func Test_AddPodToVolume_Positive_SELinux(t *testing.T) {
 	verifyVolumeExistsAswWithSELinux(t, generatedVolumeName, "system_u:object_r:container_file_t:s0:c0,c1", asw)
 	verifyVolumeDoesntExistInUnmountedVolumes(t, generatedVolumeName, asw)
 	verifyVolumeDoesntExistInGloballyMountedVolumes(t, generatedVolumeName, asw)
-	verifyPodExistsInVolumeAsw(t, podName, generatedVolumeName, "fake/device/path" /* expectedDevicePath */, asw)
+	verifyPodExistsInVolumeAswWithSELinux(t, podName, generatedVolumeName, "fake/device/path" /* expectedDevicePath */, "system_u:object_r:container_file_t:s0:c0,c1", asw)
+	verifyPodExistsInVolumeSELinuxMismatch(t, podName, generatedVolumeName, "" /* wrong SELinux label */, asw)
 	verifyVolumeExistsWithSpecNameInVolumeAsw(t, podName, volumeSpec.Name(), asw)
 	verifyVolumeMountedElsewhere(t, podName, generatedVolumeName, false /*expectedMountedElsewhere */, asw)
 }
@@ -1154,8 +1155,18 @@ func verifyPodExistsInVolumeAsw(
 	expectedVolumeName v1.UniqueVolumeName,
 	expectedDevicePath string,
 	asw ActualStateOfWorld) {
+	verifyPodExistsInVolumeAswWithSELinux(t, expectedPodName, expectedVolumeName, expectedDevicePath, "", asw)
+}
+
+func verifyPodExistsInVolumeAswWithSELinux(
+	t *testing.T,
+	expectedPodName volumetypes.UniquePodName,
+	expectedVolumeName v1.UniqueVolumeName,
+	expectedDevicePath string,
+	expectedSELinuxLabel string,
+	asw ActualStateOfWorld) {
 	podExistsInVolume, devicePath, err :=
-		asw.PodExistsInVolume(expectedPodName, expectedVolumeName, resource.Quantity{}, "")
+		asw.PodExistsInVolume(expectedPodName, expectedVolumeName, resource.Quantity{}, expectedSELinuxLabel)
 	if err != nil {
 		t.Fatalf(
 			"ASW PodExistsInVolume failed. Expected: <no error> Actual: <%v>", err)
@@ -1221,6 +1232,26 @@ func verifyPodDoesntExistInVolumeAsw(
 	}
 }
 
+func verifyPodExistsInVolumeSELinuxMismatch(
+	t *testing.T,
+	podToCheck volumetypes.UniquePodName,
+	volumeToCheck v1.UniqueVolumeName,
+	unexpectedSELinuxLabel string,
+	asw ActualStateOfWorld) {
+
+	podExistsInVolume, _, err := asw.PodExistsInVolume(podToCheck, volumeToCheck, resource.Quantity{}, unexpectedSELinuxLabel)
+	if podExistsInVolume {
+		t.Errorf("expected Pod %s not to exists, but it does", podToCheck)
+	}
+	if err == nil {
+		t.Error("expected PodExistsInVolume to return error, but it returned nil")
+	}
+
+	if !IsSELinuxMountMismatchError(err) {
+		t.Errorf("expected PodExistsInVolume to return SELinuxMountMismatchError, got %s", err)
+	}
+}
+
 func verifyVolumeExistsWithSpecNameInVolumeAsw(
 	t *testing.T,
 	expectedPodName volumetypes.UniquePodName,