From 5bba6b1eef787d092b605546a7dbfaa34e54eb75 Mon Sep 17 00:00:00 2001 From: Miriam Weiss Date: Tue, 1 Feb 2022 18:55:40 +0200 Subject: [PATCH] BZ:2040457 - Updated known issue in RN with additional information. --- .../sandboxed-containers-4.9-release-notes.adoc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sandboxed_containers/sandboxed-containers-4.9-release-notes.adoc b/sandboxed_containers/sandboxed-containers-4.9-release-notes.adoc index ee9797a836..cf05dbb1ea 100644 --- a/sandboxed_containers/sandboxed-containers-4.9-release-notes.adoc +++ b/sandboxed_containers/sandboxed-containers-4.9-release-notes.adoc @@ -47,7 +47,13 @@ You can now install the {sandboxed-containers-operator} in a disconnected enviro [id="sandboxed-containers-1-1-known-issues"] == Known issues -* If you are using {sandboxed-containers-first}, you cannot use the `hostPath` volume in an {product-title} cluster to mount a file or directory from the host node’s file system into your pod. As an alternative, you can use local persistent volumes. See xref:../storage/persistent_storage/persistent-storage-local.adoc[Persistent storage using local volumes] for more information. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1904609[*BZ#1904609*]) +* If you are using {sandboxed-containers-first}, you might receive SELinux denials accessing files or directories mounted from the `hostPath` volume in an {product-title} cluster. These denials can occur even when running privileged sandboxed containers, since privileged sandboxed containers do not disable SELinux checks. ++ +Following SELinux policy on the host guarantees full isolation of the host file system from the sandboxed workload by default, and provides stronger protection against potential security flaws in `virtiofsd` or QEMU. ++ +If the mounted files or directories do not have specific SELinux requirements on the host, you can use local persistent volumes as an alternative. Files are automatically relabeled to `container_file_t`, following SELinux policy for container runtimes. See xref:../storage/persistent_storage/persistent-storage-local.adoc[Persistent storage using local volumes] for more information. ++ +Automatic relabeling is not an option when mounted files or directories are expected to have specific SELinux labels on the host. Instead, you can set custom SELinux rules on the host in order to allow virtiofsd to access these specific labels. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1904609[*BZ#1904609*]) [id="sandboxed-containers-1-1-asynchronous-errata-updates"] == Asynchronous errata updates