Revert "Do not rewrite SELinux labels on volume mounts"

services/controlplane.go

@@ -374,7 +374,7 @@ func RunGetStateFileFromConfigMap(ctx context.Context, controlPlaneHost *hosts.H
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
 		},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},

services/etcd.go

@@ -346,16 +346,12 @@ func RunEtcdSnapshotSave(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: restartPolicy},
 	}
 
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
-
 	if once {
 		log.Infof(ctx, "[etcd] Running snapshot save once on host [%s]", etcdHost.Address)
 		logrus.Debugf("[etcd] Using command [%s] for snapshot save once container [%s] on host [%s]", getSanitizedSnapshotCmd(imageCfg, es.BackupConfig), EtcdSnapshotOnceContainerName, etcdHost.Address)
@@ -417,16 +413,12 @@ func RunGetStateFileFromSnapshot(ctx context.Context, etcdHost *hosts.Host, prsM
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
 		},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
 
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
-
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdStateFileContainerName, etcdHost.Address); err != nil {
 		return "", err
 	}
@@ -488,14 +480,11 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa
 	log.Infof(ctx, s3Logline)
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -547,14 +536,11 @@ func RestoreEtcdSnapshot(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			"/opt/rke/:/opt/rke/",
-			fmt.Sprintf("%s:/var/lib/rancher/etcd", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			"/opt/rke/:/opt/rke/:z",
+			fmt.Sprintf("%s:/var/lib/rancher/etcd:z", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode: container.NetworkMode("host"),
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdRestoreContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -624,13 +610,10 @@ func RunEtcdSnapshotRemove(ctx context.Context, etcdHost *hosts.Host, prsMap map
 
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
 		},
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdSnapshotRemoveContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -667,12 +650,9 @@ func GetEtcdSnapshotChecksum(ctx context.Context, etcdHost *hosts.Host, prsMap m
 	}
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			"/opt/rke/:/opt/rke/",
+			"/opt/rke/:/opt/rke/:z",
 		}}
 
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRunContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdChecksumContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil {
 		return checksum, err
 	}
@@ -751,14 +731,11 @@ func StartBackupServer(ctx context.Context, etcdHost *hosts.Host, prsMap map[str
 
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "no"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdServeBackupContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -802,14 +779,11 @@ func DownloadEtcdSnapshotFromBackupServer(ctx context.Context, etcdHost *hosts.H
 
 	hostCfg := &container.HostConfig{
 		Binds: []string{
-			fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
-			fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
+			fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
+			fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
 		NetworkMode:   container.NetworkMode("host"),
 		RestartPolicy: container.RestartPolicy{Name: "on-failure"},
 	}
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-	}
 	if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
 		return err
 	}
@@ -852,13 +826,6 @@ func setEtcdPermissions(ctx context.Context, etcdHost *hosts.Host, prsMap map[st
 	hostCfg := &container.HostConfig{
 		Binds: []string{dataBind},
 	}
-
-	if hosts.IsDockerSELinuxEnabled(etcdHost) {
-		// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
-		logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, EtcdPermFixContainerName, etcdHost.Address)
-		hostCfg.SecurityOpt = []string{SELinuxLabel}
-	}
-
 	if err := docker.DoRunOnetimeContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdPermFixContainerName,
 		etcdHost.Address, ETCDRole, prsMap); err != nil {
 		return err

services/services.go

@@ -52,7 +52,6 @@ const (
 
 	ContainerNameLabel = "io.rancher.rke.container.name"
 	MCSLabel           = "label=level:s0:c1000,c1001"
-	SELinuxLabel       = "label=type:rke_container_t"
 )
 
 type RestartFunc func(context.Context, *hosts.Host) error
@@ -143,10 +142,6 @@ func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config,
 				hostCfg.SecurityOpt = []string{MCSLabel}
 			}
 		}
-		// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
-		logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)
-		hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
-
 	}
 	return imageCfg, hostCfg, process.HealthCheck.URL
 }