containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix handling of user specified container labels 

Currently we override the SELinux labels specified by the user
if the container is runing a kata container or systemd container.

This PR fixes to use the label specified by the user.

Fixes: https://github.com/containers/podman/issues/11100

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2021-08-02 16:33:33 -04:00
parent 58cdb3236f
commit 985c717085
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
2 changed files with 35 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
libpod/container_internal.go
View File

@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.config.IDMappings.UIDMap = containerInfo.UIDMap c.config.IDMappings.UIDMap = containerInfo.UIDMap
c.config.IDMappings.GIDMap = containerInfo.GIDMap c.config.IDMappings.GIDMap = containerInfo.GIDMap
processLabel := containerInfo.ProcessLabel processLabel, err := c.processLabel(containerInfo.ProcessLabel)
switch { if err != nil {
case c.ociRuntime.SupportsKVM(): return err
processLabel, err = selinux.KVMLabel(processLabel)
if err != nil {
return err
}
case c.config.Systemd:
processLabel, err = selinux.InitLabel(processLabel)
if err != nil {
return err
}
} }
c.config.ProcessLabel = processLabel c.config.ProcessLabel = processLabel
c.config.MountLabel = containerInfo.MountLabel c.config.MountLabel = containerInfo.MountLabel
c.config.StaticDir = containerInfo.Dir c.config.StaticDir = containerInfo.Dir
@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
return nil return nil
} }
func (c *Container) processLabel(processLabel string) (string, error) {
if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
return processLabel, nil
}
ctrSpec, err := c.specFromState()
if err != nil {
return "", err
}
label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
if !ok || !strings.Contains(label, "type:") {
switch {
case c.ociRuntime.SupportsKVM():
return selinux.KVMLabel(processLabel)
case c.config.Systemd:
return selinux.InitLabel(processLabel)
}
}
return processLabel, nil
}
// Tear down a container's storage prior to removal // Tear down a container's storage prior to removal
func (c *Container) teardownStorage() error { func (c *Container) teardownStorage() error {
if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) { if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {

12
test/system/410-selinux.bats
View File

@ -50,6 +50,18 @@ function check_label() {
check_label "--systemd=always" "container_init_t" check_label "--systemd=always" "container_init_t"
} }
@test "podman selinux: init container with --security-opt type" {
check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
}
@test "podman selinux: init container with --security-opt level&type" {
check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
}
@test "podman selinux: init container with --security-opt level" {
check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2"
}
@test "podman selinux: pid=host" { @test "podman selinux: pid=host" {
# FIXME this test fails when run rootless with runc: # FIXME this test fails when run rootless with runc:
# Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied # Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied