From 990440c16ecb4c0de2da0423372eaef0204b4d0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20Luis=20Sanmart=C3=ADn=20Rozada?=
 <manuel.luis@gmail.com>
Date: Mon, 4 Apr 2022 12:20:29 +0200
Subject: [PATCH 1/2] Canonize selinux label for comparison with filesystem
 label
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Luis Sanmartín Rozada <manuel.luis@gmail.com>
---
 server/label_linux.go | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/server/label_linux.go b/server/label_linux.go
index d53bb294f5e..b188690f4a7 100644
--- a/server/label_linux.go
+++ b/server/label_linux.go
@@ -3,6 +3,7 @@ package server
 import (
 	"fmt"
 
+	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -11,12 +12,17 @@ import (
 
 func securityLabel(path, secLabel string, shared, maybeRelabel bool) error {
 	if maybeRelabel {
-		currentLabel, err := label.FileLabel(path)
-		if err == nil && currentLabel == secLabel {
-			logrus.Debugf(
-				"Skipping relabel for %s, as TrySkipVolumeSELinuxLabel is true and the label of the top level of the volume is already correct",
-				path)
-			return nil
+		canonicalSecLabel, err := selinux.CanonicalizeContext(secLabel)
+		if err != nil {
+			logrus.Errorf("Canonicalize label failed %s: %v", secLabel, err)
+		} else {
+			currentLabel, err := label.FileLabel(path)
+			if err == nil && currentLabel == canonicalSecLabel {
+				logrus.Debugf(
+					"Skipping relabel for %s, as TrySkipVolumeSELinuxLabel is true and the label of the top level of the volume is already correct",
+					path)
+				return nil
+			}
 		}
 	}
 	if err := label.Relabel(path, secLabel, shared); err != nil && !errors.Is(err, unix.ENOTSUP) {

From 57fcb0899e57b1d1628e1bdbb5101067b0d3fa25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20Luis=20Sanmart=C3=ADn=20Rozada?=
 <manuel.luis@gmail.com>
Date: Mon, 4 Apr 2022 18:54:26 +0200
Subject: [PATCH 2/2] Change the mcs order in selinux.bats to test the
 canonization of selinux label
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Luis Sanmartín Rozada <manuel.luis@gmail.com>
---
 test/selinux.bats | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/selinux.bats b/test/selinux.bats
index 48be809a84d..15a69235d9c 100644
--- a/test/selinux.bats
+++ b/test/selinux.bats
@@ -40,7 +40,7 @@ function teardown() {
 	create_runtime_with_allowed_annotation "selinux" "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"
 	start_crio
 
-	jq '	  .linux.security_context.selinux_options = {"level": "s0:c100,c200"}
+	jq '	  .linux.security_context.selinux_options = {"level": "s0:c200,c100"}
 		|  .annotations["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"] = "true"' \
 		"$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json