When debugging why the baremetal networking stack fails when running on RHCOS9 (Currently Centos Stream 9) we're observing selinux access denials to system libraries inside the pod. These pods are privileged but they are not host mounting paths for these system libraries.

4.13 RHCOS 9.2

100%

1. Install using a RHCOS 9.2 build on baremetal, observe selinux denials
2. oc adm release extract --command=openshift-install quay.io/sdodsonrht/rhcos9.2:413.92.202302081904-0
3. ./openshift-install

type=AVC msg=audit(1676426562.256:2813): avc:  denied  { read } for  pid=281167 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c220,c813 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1676426563.097:2814): avc:  denied  { read } for  pid=281270 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c175,c184 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1676426563.858:2815): avc:  denied  { read } for  pid=281357 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c24,c227 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1676426564.671:2816): avc:  denied  { read } for  pid=281465 comm="runtimecfg" path="/usr/lib64/libpthread-2.28.so" dev="sda4" ino=10496760 scontext=system_u:system_r:container_t:s0:c845,c1009 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=file permissive=0

No selinux denials

I'll attach the pod spec to this jira. The container in question is the initContainer.

# rpm -q container-selinux selinux-policy-targeted cri-o crun runc

container-selinux-2.199.0-1.el9.noarch
selinux-policy-targeted-38.1.5-1.el9.noarch
cri-o-1.26.1-4.rhaos4.13.gita78722c.el9.x86_64
crun-1.8-1.el9.x86_64
runc-1.1.4-1.el9.x86_64