From f76e30f21c7cf8a36b499b49124ecbcd648dd8cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 2 Mar 2021 22:31:45 +0100 Subject: [PATCH] libpod: Apply SELinux KVM label if process contains "kata" in its name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We currently only apply the label when the user calls `podman --runtime kata ...`, which may not happen in several different cases, including testing binaries which are not part of the PATH. In order to avoid forcing the user to pass `--security-opt label=type:...`, let's follow a similar logic than the one implemented on the CRI-O side and apply the KVM label to the processes in case the runtime binary contains "kata" as part of its name. Fixes: #9582 Signed-off-by: Fabiano FidĂȘncio --- libpod/container_internal.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 2e0c245792..fae688ee2d 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -467,7 +467,7 @@ func (c *Container) setupStorage(ctx context.Context) error { processLabel := containerInfo.ProcessLabel switch { - case c.ociRuntime.SupportsKVM(): + case c.ociRuntime.SupportsKVM(), strings.Contains(strings.ToLower(filepath.Base(c.ociRuntime.Path())), "kata"): processLabel, err = selinux.KVMLabel(processLabel) if err != nil { return err