Merge pull request #33663 from pmorie/selinux-fixes

Automatic merge from submit-queue

SELinux Overhaul

Overhauls handling of SELinux in Kubernetes.  TLDR: Kubelet dir no longer has to be labeled `svirt_sandbox_file_t`.

Fixes #33351 and #33510.  Implements #33951.

hack/make-rules/test-e2e-node.sh

@@ -152,20 +152,6 @@ else
     test_args="$test_args --disable-kubenet=true"
   fi
 
-  # On selinux enabled systems, it might
-  # require to relabel /var/lib/kubelet
-  if which selinuxenabled &> /dev/null && \
-     selinuxenabled && \
-     which chcon > /dev/null ; then
-     mkdir -p /var/lib/kubelet
-     if [[ ! $(ls -Zd /var/lib/kubelet) =~ svirt_sandbox_file_t ]] ; then
-        echo "Applying SELinux label to /var/lib/kubelet directory."
-        if ! sudo chcon -Rt svirt_sandbox_file_t /var/lib/kubelet; then
-           echo "Failed to apply selinux label to /var/lib/kubelet."
-        fi
-     fi
-  fi
-
   # Test using the host the script was run on
   # Provided for backwards compatibility
   go run test/e2e_node/runner/local/run_local.go --ginkgo-flags="$ginkgoflags" \