-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privileged container volumes are not relabeled #10209
Comments
$ chcon -R -t container_file_t -l s0 ${HOME}/test But I think that we should do the relabel if the user specifies :z |
@rhatdan, so you agree this is a bug that should be fixed? |
This does seem surprising. Why should users of privileged containers rewrite this using |
This change was made based on others complaining about the break. |
Well the relableling has been done for years I think at this point. Is the aim to fix this issue or you think its working as desired? |
Indeed the current behavior is different between
|
Fixed in #10253 |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Volumes of privileged containers are not relabeled since Podman v3.1.1 due to #9895. This makes it difficult to re-use volumes created by a privileged container from a non-privileged container, without resorting to manual/additional relabeling. This behavior is different from Docker and previous versions of Podman.
If this is indeed intended behavior. What would be the canonical way to make sure files created/written by a privileged container are accessible by other (non-privileged) containers?
Steps to reproduce the issue:
-z
:Describe the results you received:
Since the volume is not relabeled, the second container is not allowed to write:
Describe the results you expected:
Since the first container was started with the relabel option, I expected for the directory and files created to be labeled in such a way that other containers can access them.
Additional information you deem important (e.g. issue happens only occasionally):
Because the release notes stated "This matches better matches Docker's behavior in this case" I've tested the same scenario on a couple of Docker installations. Where it does work with moby-engine in Fedora CoreOS Stable (33.20210426.3.0) and Next (34.20210427.1.0) and with the latest Docker (20.10.6) on an selinux enabled Debian Buster.
In addition I ran the following script to inspect the labels on these installations. In all cases with Docker the directories were relabeled.
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
Fedora CoreOS Next 34.20210427.1.0 QEMU
The text was updated successfully, but these errors were encountered: