Merge pull request #11101 from rhatdan/selinux
Fix handling of user specified container labels
This commit is contained in:
openshift-ci[bot]
GitHub
commit
e93661f5e7
|
|
@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
|
|||
c.config.IDMappings.UIDMap = containerInfo.UIDMap
|
||||
c.config.IDMappings.GIDMap = containerInfo.GIDMap
|
||||
|
||||
processLabel := containerInfo.ProcessLabel
|
||||
switch {
|
||||
case c.ociRuntime.SupportsKVM():
|
||||
processLabel, err = selinux.KVMLabel(processLabel)
|
||||
processLabel, err := c.processLabel(containerInfo.ProcessLabel)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
case c.config.Systemd:
|
||||
processLabel, err = selinux.InitLabel(processLabel)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
c.config.ProcessLabel = processLabel
|
||||
c.config.MountLabel = containerInfo.MountLabel
|
||||
c.config.StaticDir = containerInfo.Dir
|
||||
|
|
@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (c *Container) processLabel(processLabel string) (string, error) {
|
||||
if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
|
||||
return processLabel, nil
|
||||
}
|
||||
ctrSpec, err := c.specFromState()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
|
||||
if !ok || !strings.Contains(label, "type:") {
|
||||
switch {
|
||||
case c.ociRuntime.SupportsKVM():
|
||||
return selinux.KVMLabel(processLabel)
|
||||
case c.config.Systemd:
|
||||
return selinux.InitLabel(processLabel)
|
||||
}
|
||||
}
|
||||
return processLabel, nil
|
||||
}
|
||||
|
||||
// Tear down a container's storage prior to removal
|
||||
func (c *Container) teardownStorage() error {
|
||||
if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {
|
||||
|
|
|
|||
|
|
@ -50,6 +50,18 @@ function check_label() {
|
|||
check_label "--systemd=always" "container_init_t"
|
||||
}
|
||||
|
||||
@test "podman selinux: init container with --security-opt type" {
|
||||
check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
|
||||
}
|
||||
|
||||
@test "podman selinux: init container with --security-opt level&type" {
|
||||
check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
|
||||
}
|
||||
|
||||
@test "podman selinux: init container with --security-opt level" {
|
||||
check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2"
|
||||
}
|
||||
|
||||
@test "podman selinux: pid=host" {
|
||||
# FIXME this test fails when run rootless with runc:
|
||||
# Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied
|
||||
|
|
|
|||
Loading…
Reference in New Issue