From 333c985cad0977150b1612fd2b1a1e6261f56b77 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
Date: Tue, 8 Mar 2022 11:10:02 +0200
Subject: [PATCH 1/2] containerd: Enable SELinux labeling support by default

This enables containerd to do appropriate SELinux labeling of containers
and files by default. This should not be problematic as Flatcar ships with
SELinux permissive by default.

Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
---
 .../coreos-overlay/app-emulation/containerd/files/config.toml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/files/config.toml b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/files/config.toml
index b5459b93db..c6b44e6634 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/files/config.toml
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/containerd/files/config.toml
@@ -27,6 +27,10 @@ runtime = "runc"
 # live restore is not supported
 no_shim = false
 
+[plugins."io.containerd.grpc.v1.cri"]
+# enable SELinux labeling
+enable_selinux = true
+
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
 # setting runc.options unsets parent settings
 runtime_type = "io.containerd.runc.v2"

From 3b491d97b6a3df9ecf9c8e1bd03f78b906d23b5a Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
Date: Tue, 8 Mar 2022 18:07:00 +0200
Subject: [PATCH 2/2] Added changelog entry for SELinux enablement in
 containerd

Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
---
 .../changelog/changes/2022-03-08-containerd-selinux.md          | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-03-08-containerd-selinux.md

diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-03-08-containerd-selinux.md b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-03-08-containerd-selinux.md
new file mode 100644
index 0000000000..16909ec38a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-03-08-containerd-selinux.md
@@ -0,0 +1,2 @@
+- Made SELinux enabled by default in default containerd configuration file. ([PR#1699](https://github.com/flatcar-linux/coreos-overlay/pull/1699))
+