tests: [workaround] containerd 2.2 SELinux mmap denial for container images (#676)

bfjelds · Copilot · web-flow · commit 2cf4256c1d8d · 2026-06-08T11:16:56.000-07:00
## Summary containerd 2.2+ introduces a MountManager plugin that `mmap()`s a bbolt DB under `/run/containerd/`. The AZL 3.0 SELinux policy (refpolicy `RELEASE_2_20240226`) grants `manage_file_perms` on `container_runtime_t:file` which does **not** include the `map` permission, causing a cascade failure that surfaces as: \\\ docker: Error response from daemon: failed to create task for container: unknown service containerd.services.tasks.v1.Tasks: not implemented \\\ Upstream refpolicy fixed this in commit [\7876e51510\](SELinuxProject/refpolicy@7876e51510) (May 2024), but AZL's pinned version predates it. ## Validation https://dev.azure.com/mariner-org/ECF/_build/results?buildId=1134778 ## AZL bug https://microsoft.visualstudio.com/OS/_workitems/edit/62602180 ## Changes - Add a CIL policy module (`containerd-mmap-fix.cil`) that grants the missing `map` permission on `container_runtime_t:file` for `container_engine_system_domain` - Add `selinux-policy` package to both container images - Load the CIL module during image build via a `postCustomization` script - Applied to both `trident-container-installer` and `trident-container-testimage` > **Note:** Existing workarounds (`enforcing=0` kernel param on installer, `setenforce 0` in testimage service) are intentionally kept in place. They should be removed in a follow-up PR after this fix is validated. ## Related - Upstream fix: SELinuxProject/refpolicy@7876e51510 - Pipeline bugs: #20870, #20884, #20879, #20905 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/tests/images/trident-container-installer/base/baseimg.yaml b/tests/images/trident-container-installer/base/baseimg.yaml
@@ -40,6 +40,7 @@ os:
       - mdadm
       - moby-engine
       - openssh-server
+      - selinux-policy
       - squashfs-tools
       - tar
       - vim
@@ -53,6 +54,8 @@ os:
       destination: /root/.profile
     - source: files/trident-container.service
       destination: /usr/lib/systemd/system/trident-container.service
+    - source: files/containerd-mmap-fix.cil
+      destination: /usr/share/selinux/packages/containerd-mmap-fix.cil
 
   services:
     enable:
@@ -62,6 +65,7 @@ os:
 scripts:
   postCustomization:
     - path: scripts/post-install.sh
+    - path: scripts/load-containerd-selinux-fix.sh
 
 iso:
   additionalFiles:
diff --git a/tests/images/trident-container-installer/base/files/containerd-mmap-fix.cil b/tests/images/trident-container-installer/base/files/containerd-mmap-fix.cil
@@ -0,0 +1,7 @@
+; Fix for containerd 2.2+ MountManager plugin SELinux denial.
+; containerd 2.2 introduces a MountManager that opens a bbolt DB under
+; /run/containerd/ using mmap(). The base refpolicy (RELEASE_2_20240226)
+; grants manage_file_perms on container_runtime_t:file but that set does
+; not include 'map'. Upstream fixed this in commit 7876e51510 (May 2024).
+; This module backports the missing permission.
+(allow container_engine_system_domain container_runtime_t (file (map)))
diff --git a/tests/images/trident-container-installer/base/scripts/load-containerd-selinux-fix.sh b/tests/images/trident-container-installer/base/scripts/load-containerd-selinux-fix.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Load SELinux policy module that grants the 'map' permission on
+# container_runtime_t:file for container engines.  This fixes containerd
+# 2.2+ MountManager bbolt mmap() denials under enforcing mode.
+semodule -i /usr/share/selinux/packages/containerd-mmap-fix.cil
diff --git a/tests/images/trident-container-testimage/base/baseimg.yaml b/tests/images/trident-container-testimage/base/baseimg.yaml
@@ -66,12 +66,15 @@ os:
 
       - docker-cli
       - moby-engine
+      - selinux-policy
       - squashfs-tools
       - tar
 
   additionalFiles:
   - source: files/trident-container.service
     destination: /usr/lib/systemd/system/trident-container.service
+  - source: files/containerd-mmap-fix.cil
+    destination: /usr/share/selinux/packages/containerd-mmap-fix.cil
 
   services:
     enable:
@@ -81,3 +84,4 @@ os:
 scripts:
   postCustomization:
   - path: scripts/post-install.sh
+  - path: scripts/load-containerd-selinux-fix.sh
diff --git a/tests/images/trident-container-testimage/base/files/containerd-mmap-fix.cil b/tests/images/trident-container-testimage/base/files/containerd-mmap-fix.cil
@@ -0,0 +1,7 @@
+; Fix for containerd 2.2+ MountManager plugin SELinux denial.
+; containerd 2.2 introduces a MountManager that opens a bbolt DB under
+; /run/containerd/ using mmap(). The base refpolicy (RELEASE_2_20240226)
+; grants manage_file_perms on container_runtime_t:file but that set does
+; not include 'map'. Upstream fixed this in commit 7876e51510 (May 2024).
+; This module backports the missing permission.
+(allow container_engine_system_domain container_runtime_t (file (map)))
diff --git a/tests/images/trident-container-testimage/base/scripts/load-containerd-selinux-fix.sh b/tests/images/trident-container-testimage/base/scripts/load-containerd-selinux-fix.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Load SELinux policy module that grants the 'map' permission on
+# container_runtime_t:file for container engines.  This fixes containerd
+# 2.2+ MountManager bbolt mmap() denials under enforcing mode.
+semodule -i /usr/share/selinux/packages/containerd-mmap-fix.cil
