Merge pull request #1576 from rhatdan/label

Disable SELinux labeling if --privileged

cmd/podman/create.go

@@ -784,7 +784,9 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
 		VolumesFrom: c.StringSlice("volumes-from"),
 	}
 
-	if !config.Privileged {
+	if config.Privileged {
+		config.LabelOpts = label.DisableSecOpt()
+	} else {
 		if err := parseSecurityOpt(config, c.StringSlice("security-opt")); err != nil {
 			return nil, err
 		}

test/e2e/run_selinux_test.go

@@ -0,0 +1,87 @@
+package integration
+
+import (
+	"fmt"
+	"os"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/opencontainers/selinux/go-selinux"
+)
+
+var _ = Describe("Podman run", func() {
+	var (
+		tempdir    string
+		err        error
+		podmanTest PodmanTest
+	)
+
+	BeforeEach(func() {
+		tempdir, err = CreateTempDirInTempDir()
+		if err != nil {
+			os.Exit(1)
+		}
+		podmanTest = PodmanCreate(tempdir)
+		podmanTest.RestoreAllArtifacts()
+		if !selinux.GetEnabled() {
+			Skip("SELinux not enabled")
+		}
+	})
+
+	AfterEach(func() {
+		podmanTest.Cleanup()
+		f := CurrentGinkgoTestDescription()
+		timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds())
+		GinkgoWriter.Write([]byte(timedResult))
+	})
+
+	It("podman run selinux", func() {
+		session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("container_t")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman run selinux grep test", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("s0:c1,c2")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman run selinux disable test", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("spc_t")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman run selinux type check test", func() {
+		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match1, _ := session.GrepString("container_t")
+		match2, _ := session.GrepString("svirt_lxc_net_t")
+		Expect(match1 || match2).Should(BeTrue())
+	})
+
+	It("podman run selinux type setup test", func() {
+		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("spc_t")
+		Expect(match).Should(BeTrue())
+	})
+
+	It("podman privileged selinux", func() {
+		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString("spc_t")
+		Expect(match).Should(BeTrue())
+	})
+
+})

test/e2e/run_test.go

@@ -10,7 +10,6 @@ import (
 	"github.com/mrunalp/fileutils"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
-	"github.com/opencontainers/selinux/go-selinux"
 )
 
 var _ = Describe("Podman run", func() {
@@ -85,59 +84,6 @@ var _ = Describe("Podman run", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 	})
 
-	It("podman run selinux grep test", func() {
-		if !selinux.GetEnabled() {
-			Skip("SELinux not enabled")
-		}
-		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"})
-		session.WaitWithDefaultTimeout()
-		Expect(session.ExitCode()).To(Equal(0))
-		match, _ := session.GrepString("s0:c1,c2")
-		Expect(match).Should(BeTrue())
-	})
-
-	It("podman run selinux disable test", func() {
-		if !selinux.GetEnabled() {
-			Skip("SELinux not enabled")
-		}
-		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
-		session.WaitWithDefaultTimeout()
-		Expect(session.ExitCode()).To(Equal(0))
-		match, _ := session.GrepString("spc_t")
-		Expect(match).Should(BeTrue())
-	})
-
-	It("podman run selinux type check test", func() {
-		if !selinux.GetEnabled() {
-			Skip("SELinux not enabled")
-		}
-		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
-		session.WaitWithDefaultTimeout()
-		Expect(session.ExitCode()).To(Equal(0))
-		match1, _ := session.GrepString("container_t")
-		match2, _ := session.GrepString("svirt_lxc_net_t")
-		Expect(match1 || match2).Should(BeTrue())
-	})
-
-	It("podman run selinux type setup test", func() {
-		if !selinux.GetEnabled() {
-			Skip("SELinux not enabled")
-		}
-		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
-		session.WaitWithDefaultTimeout()
-		Expect(session.ExitCode()).To(Equal(0))
-		match, _ := session.GrepString("spc_t")
-		Expect(match).Should(BeTrue())
-	})
-
-	It("podman run seccomp undefine test", func() {
-		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"})
-		session.WaitWithDefaultTimeout()
-		Expect(session.ExitCode()).To(Equal(0))
-		match, _ := session.GrepString("hello")
-		Expect(match).Should(BeTrue())
-	})
-
 	It("podman run seccomp test", func() {
 		jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json")
 		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)