[PATCH] nvme-tcp: fix selinux denied when calling sock_sendmsg
Keith Busch
kbusch at kernel.org
Thu Mar 20 13:15:19 PDT 2025
On Thu, Mar 20, 2025 at 02:35:23PM +0800, shaopeijie at cestc.cn wrote:
> From: Peijie Shao <shaopeijie at cestc.cn>
>
> In a SELinux enabled kernel, socket_create() initializes the
> security label of the socket using the security label of the
> calling process, this typically works well.
>
> However, in a containerized environment like Kubernetes,
> problem arises when a privileged container(domain spc_t)
> connects to an NVMe target and mounts the NVMe as persistent
> storage for unprivileged containers(domain container_t).
>
> This is because the container_t domain cannot access
> resources labeled with spc_t, resulting in socket_sendmsg
> returning -EACCES.
>
> The solution is to use socket_create_kern() instead of
> socket_create(), which labels the socket context to kernel_t.
> Access control will then be handled by the VFS layer rather
> than the socket itself.
Thanks, applied to nvme-6.15.
More information about the Linux-nvme
mailing list