USHIFT-7240: work around kernel 7.x SELinux execmem denial on EL10 bootc

[eslutsky]

Summary

• CRI-O fails to start on RHEL 10.2 bootc VMs due to a kernel 7.x regression where SELinux mprotect() checks on composefs/overlayfs evaluate the backing file's context instead of the overlay file's context
• CRI-O runs as kernel_t instead of container_runtime_t, which denies the execmem permission needed for text relocations (CGO libgpgme binding)

Root cause

Kernel 7.0 has a regression in LSM/overlayfs where mprotect() access checks evaluate the backing file's security context instead of the overlay file's context. On composefs (used by bootc), this prevents SELinux domain transitions — CRI-O stays as kernel_t instead of transitioning to container_runtime_t.

Upstream fix

3-commit series by Paul Moore, landed in v7.1-rc1 (not yet backported to RHEL 10.2 kernel):

1. 880bd496ec72 — fs: prepare for adding LSM blob to backing_file
2. 6af36aeb147a — lsm: add backing_file LSM hooks
3. 82544d36b172 — selinux: fix overlayfs mmap() and mprotect() access checks

Remove this workaround** once the upstream kernel fix is backported to the RHEL 10.2 kernel.

References

• Jira: https://redhat.atlassian.net/browse/USHIFT-7240
• Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2477939
• FCOS tracker: cri-o v1.35 fails to start on kernel v7.x coreos/fedora-coreos-tracker#2148

Test plan

• Verify EL10 bootc periodic CI jobs pass (e2e-aws-tests-bootc-nightly-el10)
• Verify CRI-O starts successfully on RHEL 10.2 bootc VMs with kernel 7.x
• Verify no regressions on EL9 bootc jobs (unaffected by this change)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Resolved kernel 7.x composefs and overlayfs compatibility issues by updating SELinux security policies to properly handle system process permissions.

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-7240 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• CRI-O fails to start on RHEL 10.2 bootc VMs due to a kernel 7.x regression where SELinux mprotect() checks on composefs/overlayfs evaluate the backing file's context instead of the overlay file's context
• CRI-O runs as kernel_t instead of container_runtime_t, which denies the execmem permission needed for text relocations (CGO libgpgme binding)
• Adds a temporary SELinux CIL policy module + systemd oneshot service to the EL10 base containerfile (rhel102-test-agent), unblocking all EL10 bootc CI jobs

Root cause

Kernel 7.0 has a regression in LSM/overlayfs where mprotect() access checks evaluate the backing file's security context instead of the overlay file's context. On composefs (used by bootc), this prevents SELinux domain transitions — CRI-O stays as kernel_t instead of transitioning to container_runtime_t.

Upstream fix

3-commit series by Paul Moore, landed in v7.1-rc1 (not yet backported to RHEL 10.2 kernel):

1. 880bd496ec72 — fs: prepare for adding LSM blob to backing_file
2. 6af36aeb147a — lsm: add backing_file LSM hooks
3. 82544d36b172 — selinux: fix overlayfs mmap() and mprotect() access checks

What this PR does

Adds to the EL10 base containerfile (rhel102-test-agent.containerfile):

1. A CIL SELinux policy file granting execmem to kernel_t
2. A systemd oneshot service that loads the policy before crio.service

Since all EL10 bootc images inherit from rhel102-test-agent, this covers every affected job.

Remove this workaround once the upstream kernel fix is backported to the RHEL 10.2 kernel.

References

• Jira: https://redhat.atlassian.net/browse/USHIFT-7215
• Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2477939
• FCOS tracker: cri-o v1.35 fails to start on kernel v7.x coreos/fedora-coreos-tracker#2148

Test plan

• Verify EL10 bootc periodic CI jobs pass (e2e-aws-tests-bootc-nightly-el10)
• Verify CRI-O starts successfully on RHEL 10.2 bootc VMs with kernel 7.x
• Verify no regressions on EL9 bootc jobs (unaffected by this change)

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Bug Fixes
• Addressed a kernel 7.x compatibility issue to enhance system stability and reliability.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds kernel_t to the gen_require block in microshift.te and introduces a single SELinux allow rule permitting kernel_t to grant itself process execmem, working around a composefs/overlayfs regression in kernel 7.x.

Changes

SELinux kernel 7.x execmem workaround

Layer / File(s)	Summary
kernel_t self execmem allow rule packaging/selinux/microshift.te	kernel_t added to gen_require; new allow rule grants kernel_t self process execmem with a comment citing the kernel 7.x composefs/overlayfs regression.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 10

❌ Failed checks (10 inconclusive)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: addressing a SELinux kernel 7.x execmem denial issue on EL10 bootc systems.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pacevedom]

Adds a temporary SELinux CIL policy module + systemd oneshot service to the EL10 base containerfile (rhel102-test-agent), unblocking all EL10 bootc CI jobs is not true anymore, right?

This also applies to el9, where the bug is not present, right?

[eslutsky]

/override ci/prow/e2e-aws-tests
/override ci/prow/e2e-aws-tests-arm

[openshift-ci]

@eslutsky: Overrode contexts on behalf of eslutsky: ci/prow/e2e-aws-tests, ci/prow/e2e-aws-tests-arm

Details

In response to this:

/override ci/prow/e2e-aws-tests
/override ci/prow/e2e-aws-tests-arm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@eslutsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pacevedom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eslutsky, pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eslutsky,pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pacevedom]

/verified by CI

[openshift-ci-robot]

@pacevedom: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[eslutsky]

/cherrypick release-4.22

[openshift-cherrypick-robot]

@eslutsky: new pull request created: #6910

Details

In response to this:

/cherrypick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.