Describe the bug
On a on-premises kubernetes cluster based on Fedora CoreOS 43, kubernetes 1.35, cri-o 1.35 with SELinux enabled I run a pod enabling two different features: host network and user namespaces. The result was that SELinux become disabled, without any log, even in the audit log file.
The only row in the audit.log after the pod startup, even with "semodule --disable_dontaudit --build", is:
type=BPF msg=audit(1775234723.583:310): prog-id=125 op=LOAD
Even more strange, after that I can see in audit.log errors like:
type=AVC msg=audit(1775234826.199:317): avc: denied { siginh } for pid=7748 comm="sshd-session" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tclass=process permissive=0
Like SELinux was running but something else was gone south, like the filesystems configuration...
I haven't found any relevant documentation. Apparently under the same conditions the problem doesn't appear on a standard Fedora.
Reproduction steps
- Build a bootc image with Fedora43 and kubernetes 1.35
- Configure a kubernetes cluster with kubeadm
- run a pod with the featuregate UserNamespacesHostNetworkSupport=true and run a pod with hostNetwork=true and hostUsers=false
Expected behavior
Pod running with a random pid and access to the host network
Actual behavior
SELinux disabled (apparently). Also systemd is unreachable via systemctl.
System details
rpm-ostree status -b
State: idle
BootedDeployment:
● ostree-unverified-registry:registry.ntsc.com/fc-bootc-k:f43-1.35-60
Digest: sha256:be3f3df0a97c78eb15bf81cc87c03af2cd4b3732bc8527accedb45c9fd21604b
Version: 43.20260325.0 (2026-03-25T12:53:28Z)
Qemu/KVM running Fedora43 CoreOS build with bootc
Butane or Ignition config
Additional information
kubernetes/kubernetes#138020
Describe the bug
On a on-premises kubernetes cluster based on Fedora CoreOS 43, kubernetes 1.35, cri-o 1.35 with SELinux enabled I run a pod enabling two different features: host network and user namespaces. The result was that SELinux become disabled, without any log, even in the audit log file.
The only row in the audit.log after the pod startup, even with "semodule --disable_dontaudit --build", is:
type=BPF msg=audit(1775234723.583:310): prog-id=125 op=LOAD
Even more strange, after that I can see in audit.log errors like:
type=AVC msg=audit(1775234826.199:317): avc: denied { siginh } for pid=7748 comm="sshd-session" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tclass=process permissive=0
Like SELinux was running but something else was gone south, like the filesystems configuration...
I haven't found any relevant documentation. Apparently under the same conditions the problem doesn't appear on a standard Fedora.
Reproduction steps
Expected behavior
Pod running with a random pid and access to the host network
Actual behavior
SELinux disabled (apparently). Also systemd is unreachable via systemctl.
System details
rpm-ostree status -b
State: idle
BootedDeployment:
● ostree-unverified-registry:registry.ntsc.com/fc-bootc-k:f43-1.35-60
Digest: sha256:be3f3df0a97c78eb15bf81cc87c03af2cd4b3732bc8527accedb45c9fd21604b
Version: 43.20260325.0 (2026-03-25T12:53:28Z)
Qemu/KVM running Fedora43 CoreOS build with bootc
Butane or Ignition config
Additional information
kubernetes/kubernetes#138020