From c68b59f97fcba356b167f62031070129ed687648 Mon Sep 17 00:00:00 2001 From: Steven Taylor Date: Tue, 2 Feb 2021 18:13:13 +0000 Subject: [PATCH 1/4] play kube selinux label issue play kube function not respecting selinux options in kube yaml, all options were being mapped to role. fixes issue 8710 Signed-off-by: Steven Taylor --- pkg/specgen/generate/kube/kube.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go index 0d7ee3ad20..98ab822593 100644 --- a/pkg/specgen/generate/kube/kube.go +++ b/pkg/specgen/generate/kube/kube.go @@ -282,16 +282,16 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil { if seopt.User != "" { - s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.User)) + s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User)) } if seopt.Role != "" { s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Role)) } if seopt.Type != "" { - s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Type)) + s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("type:%s", seopt.Type)) } if seopt.Level != "" { - s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("role:%s", seopt.Level)) + s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level)) } } if caps := containerYAML.SecurityContext.Capabilities; caps != nil { From 432ee04c558aaf76c50ce1d299ee36a9cf77d26a Mon Sep 17 00:00:00 2001 From: Steven Taylor Date: Wed, 3 Feb 2021 00:27:48 +0000 Subject: [PATCH 2/4] play kube selinux label test case test case added to e2e test suite to validate process label being correctly set on play kube Signed-off-by: Steven Taylor --- test/e2e/play_kube_test.go | 58 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 5930462d5b..9fbedc0739 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -26,6 +26,49 @@ spec: hostname: unknown ` +var selinuxLabelPodYaml = ` +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: "2021-02-02T22:18:20Z" + labels: + app: label-pod + name: label-pod +spec: + containers: + - command: + - top + - -d + - "1.5" + env: + - name: PATH + value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + - name: TERM + value: xterm + - name: container + value: podman + - name: HOSTNAME + value: label-pod + image: quay.io/libpod/alpine:latest + name: test + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - CAP_MKNOD + - CAP_NET_RAW + - CAP_AUDIT_WRITE + privileged: false + readOnlyRootFilesystem: false + seLinuxOptions: + user: unconfined_u + role: system_r + type: spc_t + level: s0 + workingDir: / +status: {} +` + var configMapYamlTemplate = ` apiVersion: v1 kind: ConfigMap @@ -803,6 +846,21 @@ var _ = Describe("Podman play kube", func() { }) + It("podman play kube fail with custom selinux label", func() { + err := writeYaml(selinuxLabelPodYaml, kubeYaml) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", kubeYaml}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", "label-pod-test", "--format", "'{{ .ProcessLabel }}'"}) + inspect.WaitWithDefaultTimeout() + label := inspect.OutputToString() + + Expect(label).To(ContainSubstring("nconfined_u:system_r:spc_t:s0")) + }) + It("podman play kube fail with nonexistent authfile", func() { err := generateKubeYaml("pod", getPod(), kubeYaml) Expect(err).To(BeNil()) From 96adf0e2a2eef81bb379ecfcdc5d62339bca7141 Mon Sep 17 00:00:00 2001 From: Steven Taylor Date: Wed, 3 Feb 2021 23:35:14 +0000 Subject: [PATCH 3/4] play kube selinux test case fixed typo in the label comparison Signed-off-by: Steven Taylor --- test/e2e/play_kube_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index 9fbedc0739..e34063dc2a 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -858,7 +858,7 @@ var _ = Describe("Podman play kube", func() { inspect.WaitWithDefaultTimeout() label := inspect.OutputToString() - Expect(label).To(ContainSubstring("nconfined_u:system_r:spc_t:s0")) + Expect(label).To(ContainSubstring("unconfined_u:system_r:spc_t:s0")) }) It("podman play kube fail with nonexistent authfile", func() { From 6c713984ef9037a7b102e8ed72c72763167260eb Mon Sep 17 00:00:00 2001 From: Steven Taylor Date: Thu, 4 Feb 2021 19:57:08 +0000 Subject: [PATCH 4/4] play kube selinux test case added skip to test case where selinux not enabled Signed-off-by: Steven Taylor --- test/e2e/play_kube_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index e34063dc2a..2e5c72b0e8 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -13,6 +13,7 @@ import ( . "github.com/containers/podman/v2/test/utils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" + "github.com/opencontainers/selinux/go-selinux" ) var unknownKindYaml = ` @@ -847,6 +848,9 @@ var _ = Describe("Podman play kube", func() { }) It("podman play kube fail with custom selinux label", func() { + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } err := writeYaml(selinuxLabelPodYaml, kubeYaml) Expect(err).To(BeNil())