Merge pull request #5792 from openshift-cherrypick-robot/cherry-pick-…

…5775-to-release-1.23

[release-1.23] server: Canonize selinux label for comparison with filesystem label

server/label_linux.go

@@ -3,6 +3,7 @@ package server
 import (
 	"fmt"
 
+	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -11,12 +12,17 @@ import (
 
 func securityLabel(path, secLabel string, shared, maybeRelabel bool) error {
 	if maybeRelabel {
-		currentLabel, err := label.FileLabel(path)
-		if err == nil && currentLabel == secLabel {
-			logrus.Debugf(
-				"Skipping relabel for %s, as TrySkipVolumeSELinuxLabel is true and the label of the top level of the volume is already correct",
-				path)
-			return nil
+		canonicalSecLabel, err := selinux.CanonicalizeContext(secLabel)
+		if err != nil {
+			logrus.Errorf("Canonicalize label failed %s: %v", secLabel, err)
+		} else {
+			currentLabel, err := label.FileLabel(path)
+			if err == nil && currentLabel == canonicalSecLabel {
+				logrus.Debugf(
+					"Skipping relabel for %s, as TrySkipVolumeSELinuxLabel is true and the label of the top level of the volume is already correct",
+					path)
+				return nil
+			}
 		}
 	}
 	if err := label.Relabel(path, secLabel, shared); err != nil && !errors.Is(err, unix.ENOTSUP) {

test/selinux.bats

@@ -40,7 +40,7 @@ function teardown() {
 	create_runtime_with_allowed_annotation "selinux" "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"
 	start_crio
 
-	jq '	  .linux.security_context.selinux_options = {"level": "s0:c100,c200"}
+	jq '	  .linux.security_context.selinux_options = {"level": "s0:c200,c100"}
 		|  .annotations["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"] = "true"' \
 		"$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json