Merge pull request #113411 from jsafrane/fix-selinux-context-mount

Fix SELinux context mount with unknown context

pkg/volume/csi/csi_attacher.go

@@ -377,7 +377,7 @@ func (c *csiAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMo
 		if err != nil {
 			return errors.New(log("failed to query for SELinuxMount support: %s", err))
 		}
-		if support {
+		if support && deviceMounterArgs.SELinuxLabel != "" {
 			mountOptions = util.AddSELinuxMountOption(mountOptions, deviceMounterArgs.SELinuxLabel)
 		}
 	}

pkg/volume/csi/csi_mounter.go

@@ -259,7 +259,7 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
 		if err != nil {
 			return errors.New(log("failed to query for SELinuxMount support: %s", err))
 		}
-		if support {
+		if support && mounterArgs.SELinuxLabel != "" {
 			mountOptions = util.AddSELinuxMountOption(mountOptions, mounterArgs.SELinuxLabel)
 			selinuxLabelMount = true
 		}

pkg/volume/csi/csi_mounter_test.go

@@ -200,6 +200,15 @@ func TestMounterSetUp(t *testing.T) {
 			enableSELinuxFeatureGate: true,
 			expectedVolumeContext:    nil,
 		},
+		{
+			name:                     "should not include selinux mount options, if feature gate is enabled, driver supports it, but Pod does not have it",
+			driver:                   "supports_selinux",
+			seLinuxLabel:             "",
+			expectedSELinuxContext:   "", // especially make sure the volume plugin does not use -o context="", that is an invalid value
+			volumeContext:            nil,
+			enableSELinuxFeatureGate: true,
+			expectedVolumeContext:    nil,
+		},
 	}
 
 	noPodMountInfo := false