tests: [workaround] containerd 2.2 SELinux mmap denial for container images

tests/images/trident-container-installer/base/baseimg.yaml

@@ -40,6 +40,7 @@ os:
       - mdadm
       - moby-engine
       - openssh-server
+      - selinux-policy
       - squashfs-tools
       - tar
       - vim
@@ -53,6 +54,8 @@ os:
       destination: /root/.profile
     - source: files/trident-container.service
       destination: /usr/lib/systemd/system/trident-container.service
+    - source: files/containerd-mmap-fix.cil
+      destination: /usr/share/selinux/packages/containerd-mmap-fix.cil
 
   services:
     enable:
@@ -62,6 +65,7 @@ os:
 scripts:
   postCustomization:
     - path: scripts/post-install.sh
+    - path: scripts/load-containerd-selinux-fix.sh
 
 iso:
   additionalFiles:

tests/images/trident-container-installer/base/files/containerd-mmap-fix.cil

@@ -0,0 +1,7 @@
+; Fix for containerd 2.2+ MountManager plugin SELinux denial.
+; containerd 2.2 introduces a MountManager that opens a bbolt DB under
+; /run/containerd/ using mmap(). The base refpolicy (RELEASE_2_20240226)
+; grants manage_file_perms on container_runtime_t:file but that set does
+; not include 'map'. Upstream fixed this in commit 7876e51510 (May 2024).
+; This module backports the missing permission.
+(allow container_engine_system_domain container_runtime_t (file (map)))

tests/images/trident-container-installer/base/scripts/load-containerd-selinux-fix.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# Load SELinux policy module that grants the 'map' permission on
+# container_runtime_t:file for container engines.  This fixes containerd
+# 2.2+ MountManager bbolt mmap() denials under enforcing mode.
+semodule -i /usr/share/selinux/packages/containerd-mmap-fix.cil

tests/images/trident-container-testimage/base/baseimg.yaml

@@ -66,12 +66,15 @@ os:
 
       - docker-cli
       - moby-engine
+      - selinux-policy
       - squashfs-tools
       - tar
 
   additionalFiles:
   - source: files/trident-container.service
     destination: /usr/lib/systemd/system/trident-container.service
+  - source: files/containerd-mmap-fix.cil
+    destination: /usr/share/selinux/packages/containerd-mmap-fix.cil
 
   services:
     enable:
@@ -81,3 +84,4 @@ os:
 scripts:
   postCustomization:
   - path: scripts/post-install.sh
+  - path: scripts/load-containerd-selinux-fix.sh

tests/images/trident-container-testimage/base/files/containerd-mmap-fix.cil

@@ -0,0 +1,7 @@
+; Fix for containerd 2.2+ MountManager plugin SELinux denial.
+; containerd 2.2 introduces a MountManager that opens a bbolt DB under
+; /run/containerd/ using mmap(). The base refpolicy (RELEASE_2_20240226)
+; grants manage_file_perms on container_runtime_t:file but that set does
+; not include 'map'. Upstream fixed this in commit 7876e51510 (May 2024).
+; This module backports the missing permission.
+(allow container_engine_system_domain container_runtime_t (file (map)))

tests/images/trident-container-testimage/base/scripts/load-containerd-selinux-fix.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# Load SELinux policy module that grants the 'map' permission on
+# container_runtime_t:file for container engines.  This fixes containerd
+# 2.2+ MountManager bbolt mmap() denials under enforcing mode.
+semodule -i /usr/share/selinux/packages/containerd-mmap-fix.cil