Add support for container creation's selinux_opts attribute

README.md

@@ -396,6 +396,16 @@ config {
 }
 ```
 
+* **selinux_opts** - (Optional)  A list of process labels the container will use.
+
+```
+config {
+  selinux_opts = [
+    "type:my_container.process"
+  ]
+}
+```
+
 * **sysctl** - (Optional)  A key-value map of sysctl configurations to set to the containers on start.
 
 ```hcl

api/structs.go

@@ -840,6 +840,11 @@ type InspectContainerHostConfig struct {
 	// capabilities listed in the container's spec, compared against a set
 	// of default capabilities.
 	CapDrop []string `json:"CapDrop"`
+	// SelinuxProcessLabel is the process label the container will use.
+	// If SELinux is enabled and this is not specified, a label will be
+	// automatically generated if not specified.
+	// Optional.
+	SelinuxOpts []string `json:"SelinuxOpts"`
 	// Dns is a list of DNS nameservers that will be added to the
 	// container's resolv.conf
 	Dns []string `json:"Dns"`

config.go

@@ -52,6 +52,7 @@ var (
 		"command":        hclspec.NewAttr("command", "string", false),
 		"cap_add":        hclspec.NewAttr("cap_add", "list(string)", false),
 		"cap_drop":       hclspec.NewAttr("cap_drop", "list(string)", false),
+		"selinux_opts":   hclspec.NewAttr("selinux_opts", "list(string)", false),
 		"cpu_hard_limit": hclspec.NewAttr("cpu_hard_limit", "bool", false),
 		"cpu_cfs_period": hclspec.NewAttr("cpu_cfs_period", "number", false),
 		"devices":        hclspec.NewAttr("devices", "list(string)", false),
@@ -130,6 +131,7 @@ type TaskConfig struct {
 	Volumes           []string           `codec:"volumes"`
 	CapAdd            []string           `codec:"cap_add"`
 	CapDrop           []string           `codec:"cap_drop"`
+	SelinuxOpts       []string           `codec:"selinux_opts"`
 	Command           string             `codec:"command"`
 	Devices           []string           `codec:"devices"`
 	Entrypoint        string             `codec:"entrypoint"`

driver.go

@@ -484,6 +484,7 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	// Security config options
 	createOpts.ContainerSecurityConfig.CapAdd = driverConfig.CapAdd
 	createOpts.ContainerSecurityConfig.CapDrop = driverConfig.CapDrop
+	createOpts.ContainerSecurityConfig.SelinuxOpts = driverConfig.SelinuxOpts
 	createOpts.ContainerSecurityConfig.User = cfg.User
 	createOpts.ContainerSecurityConfig.Privileged = driverConfig.Privileged
 	createOpts.ContainerSecurityConfig.ReadOnlyFilesystem = driverConfig.ReadOnlyRootfs

driver_test.go

@@ -1336,7 +1336,16 @@ func TestPodmanDriver_DefaultCaps(t *testing.T) {
 	require.Contains(t, inspectData.EffectiveCaps, "CAP_CHOWN")
 }
 
-// check modified capabilities (CapAdd/CapDrop)
+// check default process label
+func TestPodmanDriver_DefaultProcessLabel(t *testing.T) {
+	taskCfg := newTaskConfig("", busyboxLongRunningCmd)
+	inspectData := startDestroyInspect(t, taskCfg, "defaultprocesslabel")
+
+	// a default container gets "disable" process label
+	require.Contains(t, inspectData.ProcessLabel, "label=disable")
+}
+
+// check modified capabilities (CapAdd/CapDrop/SelinuxOpts)
 func TestPodmanDriver_Caps(t *testing.T) {
 	taskCfg := newTaskConfig("", busyboxLongRunningCmd)
 	// 	cap_add = [
@@ -1347,13 +1356,19 @@ func TestPodmanDriver_Caps(t *testing.T) {
 	//     "MKNOD",
 	//   ]
 	taskCfg.CapDrop = []string{"CHOWN"}
+	// 	selinux_opts = [
+	//     "disable",
+	//   ]
+	taskCfg.SelinuxOpts = []string{"disable"}
 
 	inspectData := startDestroyInspect(t, taskCfg, "caps")
 
 	// we added SYS_TIME, so we should see it in inspect
 	require.Contains(t, inspectData.EffectiveCaps, "CAP_SYS_TIME")
 	// we dropped CAP_CHOWN, so we should NOT see it in inspect
 	require.NotContains(t, inspectData.EffectiveCaps, "CAP_CHOWN")
+	// we added "disable" process label, so we should see it in inspect
+	require.Contains(t, inspectData.ProcessLabel, "label=disable")
 }
 
 // check enabled tty option