SELinux Policy for OpenShift Containers

I was exploring Cilium on OpenShift, this paper is a summary of what is required for a container to run properly in OpenShift where SELinux is turned on by default.

The Problem

After installing the Cilium, the hubble-relay is not able to connect to the hubble through the Unix socket and therefore the hubble UI is not able to show the connection topologies. The log of this error is shown below,

level=warning msg="Failed to create peer client for peers synchronization; will try again after the timeout has expired" error="context deadline exceeded" subsys=hubble-relay target="unix:///var/run/cilium/hubble.sock"

Simulated App

To focus on the issue, the hubble and the hubble-relay app are simplified as two separate processes that share their communication through a Unix socket. The main process listens on a Unix socket, upon a client connection, it echoes the input back to the client.

func main() {
 socketFile := os.Getenv("APP_UNIX_SOCK")
 if socketFile == "" {
  socketFile = "/var/run/app.sock"
 }
 err := os.RemoveAll(socketFile)
 if err != nil {
  logrus.Fatalf("Failed to remove socket file: %v", err)
 }
 listener, err := net.Listen("unix", socketFile)
 if err != nil {…