LPP fails to cleanup PV due to additional SELinux range labels on PV directory

[pog-charlesinglese]

When using local-path-provisioner:v0.0.30 with K3s in selinux enabled mode, creation of PVs yields an additional MLS label on the directory that results in the helperPod unable to delete the directory upon cleanup due to an SELinux source and target mismatch.

I'm running with SELinux in targeted mode. I've verified that it's not the helperPod itself that is adding the additional SELinux label.

Creation of a PV using the helperPod (auto mode) [note the additional c440,c581, which is ephemeral]:

drwxrwxrwx. 2 root root system_u:object_r:container_file_t:s0:c440,c581    6 Mar 12 07:23 pvc-2af9d7b1-78a3-48d4-bf11-c3286608a73a_default_local-path-pvc

My test using a statically created helperPod (manual mode) [I created the directory using the /bin/sh /script/setup ${VOL_DIR}]:

drwxrwxrwx. 2 root root system_u:object_r:container_file_t:s0              6 Mar 12 07:35 test

Environment details:

• kubectl get cm -n kube-system local-path-config -o yaml

apiVersion: v1                                                                                                                                                                                data:
  config.json: |-
    {
      "nodePathMap":[
      {
        "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
        "paths":["/kubernetes-k3s/var/lib/rancher/storage"]
      }
      ]
    }
  helperPod.yaml: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: helper-pod
    spec:
      containers:
      - name: helper-pod
        image: "rancher/mirrored-library-busybox:1.36.1"
        imagePullPolicy: IfNotPresent
      securityContext:
        seLinuxOptions:
          level: "s0"
  setup: |-
    #!/bin/sh
    set -eu
    mkdir -m 0777 -p "${VOL_DIR}"
    chmod 700 "${VOL_DIR}/.."
  teardown: |-
    #!/bin/sh
    set -eu
    rm -rf "${VOL_DIR}"
kind: ConfigMap
metadata:
  annotations:
    objectset.rio.cattle.io/applied: H4sIAAAAAAAA/4ySX2vbMBTFv4p2t0c7deb8Q7CHsLSsLG1Cl/VlAnMtybFq+0pYSkoJ+e5DCYFurNsepR/n6JyDDoDOPOreG0vAYT+EBBQGBH4Aaaky28GTP6GDIMYEkFV6jaG+QyeA/4iXJ3JhAriAxfXN/PtyU6znmy/FzeqhuF/dF8vbb5vrRQEJ1Lp1ul9bNXjBrgX+KgNn+6GgxpDibG2VoE4HjIF4fISw05yd5amL2DstT0haSMDrsHPA4f27q9LQla8FeR1YqneCukaZnqUdy6bTKUsdE/Dh8LhaFovbh6MAQbLurGLTLLsQSCBo7JV9pjc8+46lffWbExwTiAWAw+fTgnfoIIFLkbgsEtmAwVjy8WjLJy2D12HQGzuQGEKrB8ZemegByZvcPpPu0+2+AQ5N7l+R/TBhXw2pT3OlLP3TIu4KHForsU19sD1u9X+JvEMZlc2u1Kl/8UF3sX6LpW7/Wq1GXwOH4Syv8rGcjKuqlHk2GU2yvBrl1XA8y9RMTmb4UWGpRtH0l5AOQ52ePyic0R+jHH8GAAD//7kWEdfgAgAA
    objectset.rio.cattle.io/id: ""
    objectset.rio.cattle.io/owner-gvk: k3s.cattle.io/v1, Kind=Addon
    objectset.rio.cattle.io/owner-name: local-storage
    objectset.rio.cattle.io/owner-namespace: kube-system
  creationTimestamp: "2025-03-11T17:57:43Z"
  labels:
    objectset.rio.cattle.io/hash: 183f35c65ffbc3064603f43f1580d8c68a2dabd4
  name: local-path-config
  namespace: kube-system
  resourceVersion: "37657"
  uid: d98842ac-6980-4492-a1c4-204bd54567ca

• k3s --version:

k3s version v1.30.6+k3s1 (1829eaae)
go version go1.22.8

• rpm -qa | grep k3s:

k3s-selinux-1.6-1.el9.noarch

• sestatus:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

I've been using the example deployments on local-path-provisioner to test the Pod/PVC creation/deletion and what SELinux labels are getting added to the PV directory.

[pog-charlesinglese]

Appears related to #460