Inside a container selinux.Chcon fails although chcon command succeeds in applying a SELinux context

[empovit]

When executed inside a container, the following code

selinux.Chcon("/mps/nvidia.com/gpu/pipe", "container_file_t", true)

fails for me with

lsetxattr /mps/nvidia.com/gpu/pipe: invalid argument

However, this code runs without errors and successfully updates the SELinux type:

import "os/exec"

output, err := chconCmd.CombinedOutput()
if err != nil {
	klog.Errorf("\n%v", string(output))
	return err
}
chconCmd := exec.Command("chcon", "-R", "-t", "container_file_t", "/mps/nvidia.com/gpu/pipe")

The container is running privileged on OpenShift (RHCOS).

[rhatdan]

I do not know what label is being set, which could cause that error. I opened
#216 to display the error.

I would think this is something to do with SELinux failing to get the correct label when run within a container, but I am not sure.

[empovit]

Thank you @rhatdan. I've applied the patch and the error message I'm now getting is

lsetxattr(label=container_file_t) /mps/nvidia.com/gpu/pipe: invalid argument

[rhatdan]

Try
selinux.Chcon("/mps/nvidia.com/gpu/pipe", "system_u:object_r:container_file_t:s0", true)

[empovit]

Thanks @rhatdan, it worked!

Why is the discrepancy between the API and command? Should I read the full context first, then modify the type and write the context back? This is what chcon -t does, I assume. Or is it safe to apply the full label right away?

[rhatdan]

An SELinux label is "system_u:object_r:container_file_t:s0" not "container_file_t" When dealing with labels the use of container_file_t as the type, is expanded to the full SELinux label based on the process setting the label.

ps -eZ | grep podman
unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 69276 pts/0 00:00:00 podman

Setting the container_file_t would become

unconfined_u:object_r:container_file_t:s0-s0:c0.c1023

Thus the SELinux User unconfined_u; the SELinux MCS Label: s0-s0:c0,c1023: and the specified type: container_file_t

the Role object_r is because file types do not have roles. so we hard code object_r for all file types.