Allow container access to runtime directories for crun masked path optimization

[sohankunkerkar]

Problem: crun PR #1859 (containers/crun#1859) optimizes masked paths by using a shared empty directory instead of individual tmpfs mounts. However, containers cannot access this shared directory due to SELinux policy:

  avc: denied { read } for name=".empty-directory"
  scontext=container_t:s0:c139,c767 tcontext=container_var_run_t:s0

Without this policy, the optimization falls back to individual tmpfs mounts, negating the performance benefits.

Summary by Sourcery

Bug Fixes:

• Grant container_t permission to read and search the shared .empty-directory under /run for masked path optimization

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updated SELinux policy to grant container_t read access to the shared empty-directory under container_var_run_t, enabling crun’s masked-path optimization to use a shared directory instead of fallback tmpfs mounts.

File-Level Changes

Change	Details	Files
Allow container processes to read the shared empty directory by extending SELinux rules	Add allow rule for container_t to read container_var_run_t directories Grant read permission on the .empty-directory label	container.te

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[openshift-ci]

@sourcery-ai[bot]: changing LGTM is restricted to collaborators

In response to this:

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lsm5]

LGTM

@rhatdan @haircommander @giuseppe @wrabcak PTAL

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lsm5, sohankunkerkar, sourcery-ai[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lsm5]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lsm5]

/hold

[lsm5]

ugh, looks like i was too late to add the hold. I should update the merge bot config to only use slash-lgtm as an official lgtm.

If anybody objects to the change, I'll post a revert, so lmk.

[sohankunkerkar]

module crun_thermal_fix 1.0;

require {
    type container_t;
    type container_var_run_t;
    type container_file_t;
    class dir { read open search getattr };
}

# Allow containers to access shared runtime directories for crun masked path optimization
# This enables the thermal_throttle sharing fix for CNV scenarios
allow container_t container_var_run_t:dir { read open search getattr };
allow container_t container_file_t:dir { read open search getattr };

This policy worked well while testing on the real clusters.

[lsm5]

/cherrypick rhaos-maint

[openshift-cherrypick-robot]

@lsm5: new pull request created: #396

In response to this:

/cherrypick rhaos-maint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.