SELinux Multi-Category Security (MCS) breaks GitLab runner's multi-container job architecture because the helper and build containers get different random MCS category pairs, preventing them from sharing the /builds volume. The post explains MCS dominance rules in detail, demonstrates the problem with a test script covering both crun and libkrun (microVM) runtimes, and evaluates available workarounds. GitLab's official fix of pinning a fixed MCS label collapses isolation between concurrent jobs. GNOME's current approach uses different fixed labels per runner type as a pragmatic compromise. The post then explores microVM paths (libkrun, Firecracker, Cloud Hypervisor) as a route to true per-job isolation, noting that libkrun hits a glibc rseq blocker and that the MCS problem persists at the virtiofsd layer even with microVMs. The most promising direction identified is Cloud Hypervisor paired with the fleeting-plugin-fleetingd for full VM lifecycle automation, motivated in part by CVE-2026-31431, a deterministic kernel LPE that can escape container isolation in shared CI environments.
Table of contents
The MCS problemThe test scriptGitLab's official suggestion falls shortThe GNOME workaroundExplore libkrunFirecracker and the custom executor pathWhat comes nextThe CVE-2026-31431 bugFinal thoughtsSort: