tests: [workaround] containerd 2.2 SELinux mmap denial for container images#676
Merged
Merged
Conversation
…ages containerd 2.2+ introduces a MountManager plugin that mmap()s a bbolt DB under /run/containerd/. The AZL 3.0 SELinux policy (refpolicy RELEASE_2_20240226) grants manage_file_perms on container_runtime_t:file which does not include the 'map' permission, causing a cascade failure that surfaces as 'unknown service containerd.services.tasks.v1.Tasks'. Add a CIL policy module that backports the upstream fix (refpolicy commit 7876e51510) to grant the missing 'map' permission. Apply it to both container-installer and container-testimage via postCustomization. Changes: - Add containerd-mmap-fix.cil and load-containerd-selinux-fix.sh to both container-installer and container-testimage - Install selinux-policy package in both images - Remove enforcing=0 kernel param from container-installer - Remove setenforce 0 workaround from container-testimage service file (resolves bug #9508 TODO) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keep existing SELinux workarounds in place. The CIL policy fix is additive — removing the workarounds should be a separate step after validation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bfjelds
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a targeted SELinux policy backport/workaround for Azure Linux’s pinned refpolicy version so containerd 2.2+ can mmap() its MountManager bbolt DB under /run/containerd/ without SELinux map denials, preventing downstream container engine failures in enforcing mode.
Changes:
- Adds a small CIL policy module granting
maponcontainer_runtime_t:filetocontainer_engine_system_domain. - Ensures
selinux-policyis present in both container images and stages the CIL module into the image filesystem. - Loads the module during image build via a new
postCustomizationscript for both the installer and test image.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tests/images/trident-container-testimage/base/scripts/load-containerd-selinux-fix.sh | Installs the CIL module during the image build customization phase. |
| tests/images/trident-container-testimage/base/files/containerd-mmap-fix.cil | Defines the minimal SELinux allow rule granting map for the affected type/domain pair. |
| tests/images/trident-container-testimage/base/baseimg.yaml | Installs selinux-policy, stages the CIL file, and runs the loader script during build. |
| tests/images/trident-container-installer/base/scripts/load-containerd-selinux-fix.sh | Installs the same CIL module during the installer image build customization phase. |
| tests/images/trident-container-installer/base/files/containerd-mmap-fix.cil | Same SELinux CIL allow rule for the installer image. |
| tests/images/trident-container-installer/base/baseimg.yaml | Installs selinux-policy, stages the CIL file, and runs the loader script during build. |
fintelia
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
containerd 2.2+ introduces a MountManager plugin that
mmap()s a bbolt DB under/run/containerd/. The AZL 3.0 SELinux policy (refpolicyRELEASE_2_20240226) grantsmanage_file_permsoncontainer_runtime_t:filewhich does not include themappermission, causing a cascade failure that surfaces as:\
docker: Error response from daemon: failed to create task for container:
unknown service containerd.services.tasks.v1.Tasks: not implemented
\\
Upstream refpolicy fixed this in commit [\7876e51510](https://github.com/SELinuxProject/refpolicy/commit/7876e51510) (May 2024), but AZL's pinned version predates it.
Validation
https://dev.azure.com/mariner-org/ECF/_build/results?buildId=1134778
AZL bug
https://microsoft.visualstudio.com/OS/_workitems/edit/62602180
Changes
containerd-mmap-fix.cil) that grants the missingmappermission oncontainer_runtime_t:fileforcontainer_engine_system_domainselinux-policypackage to both container imagespostCustomizationscripttrident-container-installerandtrident-container-testimageRelated