recursive Relabel() skips symlinks

[rrayst]

Problem

As described in the comment, Relabel() should recursively change the SELinux label on a path and all entries beneath that path.

selinux/go-selinux/label/label_linux.go

Line 106 in c9f6104

// Relabel changes the label of path and all the entries beneath the path.

Currently, it skips symlinks (and instead relabels their targets).

Explanation

1b18907 changed the semantics of setFileLabel() from not-dereferencing to dereferencing symlinks before applying the label change. (It also introduced the non-dereferencing lSetFileLabel(): The setFileLabel/ lSetFileLabel semantics became the same as the one of the kernel syscalls setxattr/lsetxattr.)

Relabel() mentioned above calls (Relabel -> Chcon -> chcon ->) rchcon to get the job done. rchcon recursively calls setFileLabel on the path as well as on each item below.

selinux/go-selinux/rchcon.go

Lines 13 to 15 in c9f6104

	func rchcon(fpath, label string) error {
	return pwalkdir.Walk(fpath, func(p string, _ fs.DirEntry, _ error) error {
	e := setFileLabel(p, label)

Solution

This should be changed to lSetFileLabel().

---

Result

When running Kubernetes (kubelet) 1.23.4 on top of containerD 1.6.0 on a SELinux-enabled system, this causes ConfigMaps to be unusuable by normal Pods:

[root@node ~]# ls -laZR /var/lib/kubelet/pods/2839514d-bc4b-4521-b029-5474a9c96fc5/volumes/kubernetes.io~configmap/config
/var/lib/kubelet/pods/2839514d-bc4b-4521-b029-5474a9c96fc5/volumes/kubernetes.io~configmap/config:
total 0
drwxrwsrwx. 3 root core system_u:object_r:container_file_t:s0:c294,c792 89 Mar 17 21:48 .
drwxr-xr-x. 3 root root system_u:object_r:container_var_lib_t:s0        20 Mar 17 21:48 ..
drwxr-sr-x. 2 root core system_u:object_r:container_file_t:s0:c294,c792 36 Mar 17 21:48 ..2022_03_17_21_48_25.904560199
lrwxrwxrwx. 1 root core system_u:object_r:container_var_lib_t:s0        31 Mar 17 21:48 ..data -> ..2022_03_17_21_48_25.904560199
lrwxrwxrwx. 1 root core system_u:object_r:container_var_lib_t:s0        29 Mar 17 21:48 demo.json -> ..data/demo.json

/var/lib/kubelet/pods/2839514d-bc4b-4521-b029-5474a9c96fc5/volumes/kubernetes.io~configmap/config/..2022_03_17_21_48_25.904560199:
total 4
drwxr-sr-x. 2 root core system_u:object_r:container_file_t:s0:c294,c792  36 Mar 17 21:48 .
drwxrwsrwx. 3 root core system_u:object_r:container_file_t:s0:c294,c792  89 Mar 17 21:48 ..
-rw-r--r--. 1 root core system_u:object_r:container_file_t:s0:c294,c792 350 Mar 17 21:48 demo.json

(In contrast to the directories and normal files, the symlinks have not been relabeled and are therefore not readable by any process running inside of the container.)

[rrayst]

Fixed by #173 .