configuring stargz-snapshotter in selinux enabled environments

[1602077]

Hey,

I attempting to configure stargz-snapshotter with selinux enabled and running into issues with pods that would otherwise run being rejected by selinux.

My containerd configuration is as follows:

# /etc/containerd/config.toml
version = 2
root = "/var/lib/containerd"

[plugins]

  [plugins."io.containerd.grpc.v1.cri"]
    sandbox_image = "registry-mirror.k8s.io/pause:3.10"
    enable_selinux = true

  [plugins."io.containerd.grpc.v1.cri".containerd]
    snapshotter = "stargz"
    disable_snapshot_annotations = false

  [proxy_plugins]
    [proxy_plugins.stargz]
      type = "snapshot"
      address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"

# /etc/containerd/stargz/config.toml
no_background_fetch = true
[cri_keychain]
enable_keychain = true
image_service_path = "/run/containerd/containerd.sock"

Attempting to run the following pod on a node with stargz configured results in the pod going into CrashLoopBackoff

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: test
  name: test
spec:
  containers:
  - image: registry.k8s.io/pause:3.10
    name: test

with the following error Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to create new parent process: namespace path: lstat /proc/963577/ns/ipc: no such file or directory: unknown.

I understand that this is due to a selinux violation as when accessing the node I see the following:

$ ausearch -m AVC -ts recent -i
----
type=AVC msg=audit(11/01/24 11:53:18.263:12140) : avc:  denied  { read } for  pid=961692 comm=pause path=/pause dev="vda4" ino=30130280 scontext=system_u:system_r:container_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

However deploying the same pod configuration without stargz enabled in containerd (but selinux enabled, config provided below) results in the pod being deployed all okay.

version = 2                                                                                                                                                       root = "/var/lib/containerd"                                                                                                                                      [plugins]                                                                                                                                                         
  [plugins."io.containerd.grpc.v1.cri"]                                                                                                                           
    sandbox_image = "registry-mirror.k8s.io/pause:3.10"                                                                                                       
    enable_selinux = true

Am I doing something obviously wrong when configuring containerd with estargz? Any pointers would be greatly appreciated!

If there is anything else I can provide to help please do let me know. I can give full dumps of the containerd config for example, but for now was trying to filter out any noise to make it as easy as possible for review

Cheers,
Jack