containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
automation-tests/pkg
History
Daniel J Walsh ad8a96ab95
Support running nested SELinux container separation 
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested

When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext

This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.

With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 		2023-03-13 14:21:12 -04:00
..
annotations Remove ReservedAnnotations from kube generate specification 2023-01-18 08:46:24 -05:00
api compat: /auth: parse server address correctly 2023-03-13 13:41:49 +01:00
auth [CI:DOCS] Fix spelling and typos 2022-11-19 16:26:00 +01:00
autoupdate auto-update: support pods 2023-02-17 10:31:28 +01:00
bindings play kube: Add --wait option 2023-02-28 13:45:36 -05:00
channel bump golangci-lint to v1.50.1 2022-12-15 13:39:56 +01:00
checkpoint Update checkpointctl v0.1.0 2023-03-07 18:28:39 +00:00
copy pkg: switch to golang native error wrapping 2022-07-08 08:54:47 +02:00
criu deps: bump go-criu to v6 2022-11-01 13:57:24 +05:30
ctime Replace deprecated ioutil 2022-09-20 15:34:27 -04:00
domain Must use mountlabel when creating builtin volumes 2023-03-09 12:36:52 -05:00
env [CI:DOCS] Fix spelling and typos 2022-11-19 16:26:00 +01:00
errorhandling Fix typos 2023-02-11 18:23:24 +01:00
inspect pkg/inspect: remove unused ImageResult type 2022-05-24 16:07:39 +02:00
k8s.io Fix typos 2023-02-11 18:23:24 +01:00
lookup bump golangci-lint to v1.50.1 2022-12-15 13:39:56 +01:00
machine docs: fix cmd `set DOCKER_HOST` suggestion 2023-03-13 08:11:45 +03:00
namespaces libpod: Add pasta networking mode 2022-11-08 00:16:35 +01:00
parallel Fix stutters 2022-09-10 07:52:00 -04:00
ps Add initial SQLite-backed state implementation 2023-02-22 11:00:50 -05:00
rctl pkg/rctl: Remove unused cgo dependency 2022-10-31 15:13:48 +00:00
rootless cmd: do not require userns for "version" 2023-03-03 14:27:54 +01:00
rootlessport go fmt: use go 1.18 conditional-build syntax 2022-03-18 09:11:53 +01:00
seccomp pkg: switch to golang native error wrapping 2022-07-08 08:54:47 +02:00
selinux
servicereaper go fmt: use go 1.18 conditional-build syntax 2022-03-18 09:11:53 +01:00
signal Run codespell on code 2022-11-04 10:57:41 -04:00
specgen Support running nested SELinux container separation 2023-03-13 14:21:12 -04:00
specgenutil Support running nested SELinux container separation 2023-03-13 14:21:12 -04:00
systemd Quadlet: add support for setting --ip and --ip6 2023-03-06 18:36:41 -07:00
terminal podman ssh work, using new c/common interface 2022-08-09 14:00:58 -04:00
timetype bump golangci-lint to v1.49.0 2022-10-17 09:19:41 +02:00
trust pkg/trust: Take the default policy path from c/common/pkg/config 2022-11-25 10:14:15 +00:00
util Fix typos 2023-02-11 18:23:24 +01:00