From 1b65a7749671cc539bd9833c0362d9443d964adb Mon Sep 17 00:00:00 2001 From: Evgeny Slutsky Date: Wed, 17 Jun 2026 18:38:30 +0200 Subject: [PATCH] SELinux: allow kernel_t execmem to work around composefs regression Add allow rule to the microshift SELinux policy module so that CRI-O can perform text relocations when running as kernel_t on composefs. This is needed until the RHEL 10.2 kernel backports the upstream fix (880bd496ec72, 6af36aeb147a, 82544d36b172). USHIFT-7215 Co-Authored-By: Claude Opus 4.6 --- packaging/selinux/microshift.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/packaging/selinux/microshift.te b/packaging/selinux/microshift.te index 0d9ef586b8..175b926e8a 100644 --- a/packaging/selinux/microshift.te +++ b/packaging/selinux/microshift.te @@ -4,9 +4,15 @@ type microshift_t; domain_type(microshift_t); gen_require(` - type kubelet_t, var_lib_t, container_var_lib_t; + type kubelet_t, var_lib_t, container_var_lib_t, kernel_t; ') +# Workaround for kernel 7.x composefs/overlayfs SELinux regression (USHIFT-7215). +# CRI-O runs as kernel_t instead of container_runtime_t on composefs, which denies +# execmem needed for text relocations. Upstream fix: kernel v7.1-rc1 commits +# 880bd496ec72, 6af36aeb147a, 82544d36b172. Remove when backported to RHEL 10.2 kernel. +allow kernel_t self:process execmem; + # When microshift creates backup folders in /var/lib/microshift-backups, the correct labels are applied # Note: filetrans_pattern rules states; # Process running as `kubelet_t` that creates a `dir` called `microshift-backups`