Simplify SELinux detection and add --disable-selinux flag

pkg/agent/config/config.go

@@ -397,6 +397,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 
 	nodeConfig := &config.Node{
 		Docker:                   envInfo.Docker,
+		DisableSELinux:           envInfo.DisableSELinux,
 		ContainerRuntimeEndpoint: envInfo.ContainerRuntimeEndpoint,
 		FlannelBackend:           controlConfig.FlannelBackend,
 	}
@@ -474,6 +475,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
 	nodeConfig.AgentConfig.DisableCCM = controlConfig.DisableCCM
 	nodeConfig.AgentConfig.DisableNPC = controlConfig.DisableNPC
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
+	nodeConfig.DisableSELinux = envInfo.DisableSELinux
 
 	return nodeConfig, nil
 }

pkg/agent/containerd/containerd.go

@@ -171,11 +171,21 @@ func setupContainerdConfig(ctx context.Context, cfg *config.Node) error {
 		PrivateRegistryConfig: privRegistries,
 	}
 
-	selinux, err := selinuxEnabled()
+	selEnabled, selConfigured, err := selinuxStatus()
 	if err != nil {
 		return errors.Wrap(err, "failed to detect selinux")
 	}
-	containerdConfig.SELinuxEnabled = selinux
+	if cfg.DisableSELinux {
+		containerdConfig.SELinuxEnabled = false
+		if selEnabled {
+			logrus.Warn("SELinux is enabled for system but has been disabled for containerd by override")
+		}
+	} else {
+		containerdConfig.SELinuxEnabled = selEnabled
+	}
+	if containerdConfig.SELinuxEnabled && !selConfigured {
+		logrus.Warnf("SELinux is enabled for k3s but process is not running in context '%s', k3s-selinux policy may need to be applied", SELinuxContextType)
+	}
 
 	containerdTemplateBytes, err := ioutil.ReadFile(cfg.Containerd.Template)
 	if err == nil {

pkg/agent/containerd/selinux.go

@@ -8,20 +8,20 @@ const (
 	SELinuxContextType = "container_runtime_t"
 )
 
-func selinuxEnabled() (bool, error) {
+func selinuxStatus() (bool, bool, error) {
 	if !selinux.GetEnabled() {
-		return false, nil
+		return false, false, nil
 	}
 
 	label, err := selinux.CurrentLabel()
 	if err != nil {
-		return false, err
+		return true, false, err
 	}
 
 	ctx, err := selinux.NewContext(label)
 	if err != nil {
-		return false, err
+		return true, false, err
 	}
 
-	return ctx["type"] == SELinuxContextType, nil
+	return true, ctx["type"] == SELinuxContextType, nil
 }

pkg/cli/cmds/agent.go

@@ -28,6 +28,7 @@ type Agent struct {
 	Rootless                 bool
 	RootlessAlreadyUnshared  bool
 	WithNodeID               bool
+	DisableSELinux           bool
 	AgentShared
 	ExtraKubeletArgs   cli.StringSlice
 	ExtraKubeProxyArgs cli.StringSlice
@@ -127,6 +128,12 @@ var (
 		Usage: "(agent/node) Registering and starting kubelet with set of labels",
 		Value: &AgentConfig.Labels,
 	}
+	DisableSELinuxFlag = cli.BoolFlag{
+		Name:        "disable-selinux",
+		Usage:       "(agent/node) Disable SELinux in containerd if currently enabled",
+		Hidden:      true,
+		Destination: &AgentConfig.DisableSELinux,
+	}
 )
 
 func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command {
@@ -169,6 +176,7 @@ func NewAgentCommand(action func(ctx *cli.Context) error) cli.Command {
 			NodeLabels,
 			NodeTaints,
 			DockerFlag,
+			DisableSELinuxFlag,
 			CRIEndpointFlag,
 			PauseImageFlag,
 			PrivateRegistryFlag,

pkg/cli/cmds/server.go

@@ -216,6 +216,7 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 			NodeLabels,
 			NodeTaints,
 			DockerFlag,
+			DisableSELinuxFlag,
 			CRIEndpointFlag,
 			PauseImageFlag,
 			PrivateRegistryFlag,

pkg/daemons/config/types.go

@@ -25,6 +25,7 @@ type Node struct {
 	Docker                   bool
 	ContainerRuntimeEndpoint string
 	NoFlannel                bool
+	DisableSELinux           bool
 	FlannelBackend           string
 	FlannelConf              string
 	FlannelConfOverride      bool