Fix handling of user specified container labels

Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: containers#11100 Signed-off-by: Daniel J Walsh <[email protected]>
mheon · Aug 11, 2021 · cb7f0a3 · cb7f0a3
1 parent d749770
commit cb7f0a3
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 13 deletions.
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
@@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
 	c.config.IDMappings.UIDMap = containerInfo.UIDMap
 	c.config.IDMappings.GIDMap = containerInfo.GIDMap
 
-	processLabel := containerInfo.ProcessLabel
-	switch {
-	case c.ociRuntime.SupportsKVM():
-		processLabel, err = selinux.KVMLabel(processLabel)
-		if err != nil {
-			return err
-		}
-	case c.config.Systemd:
-		processLabel, err = selinux.InitLabel(processLabel)
-		if err != nil {
-			return err
-		}
+	processLabel, err := c.processLabel(containerInfo.ProcessLabel)
+	if err != nil {
+		return err
 	}
-
 	c.config.ProcessLabel = processLabel
 	c.config.MountLabel = containerInfo.MountLabel
 	c.config.StaticDir = containerInfo.Dir
@@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
 	return nil
 }
 
+func (c *Container) processLabel(processLabel string) (string, error) {
+	if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
+		return processLabel, nil
+	}
+	ctrSpec, err := c.specFromState()
+	if err != nil {
+		return "", err
+	}
+	label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
+	if !ok || !strings.Contains(label, "type:") {
+		switch {
+		case c.ociRuntime.SupportsKVM():
+			return selinux.KVMLabel(processLabel)
+		case c.config.Systemd:
+			return selinux.InitLabel(processLabel)
+		}
+	}
+	return processLabel, nil
+}
+
 // Tear down a container's storage prior to removal
 func (c *Container) teardownStorage() error {
 	if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {

diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
@@ -50,6 +50,18 @@ function check_label() {
     check_label "--systemd=always" "container_init_t"
 }
 
+@test "podman selinux: init container with --security-opt type" {
+    check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
+}
+
+@test "podman selinux: init container with --security-opt level&type" {
+    check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
+}
+
+@test "podman selinux: init container with --security-opt level" {
+    check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t"  "s0:c1,c2"
+}
+
 @test "podman selinux: pid=host" {
     # FIXME this test fails when run rootless with runc:
     #   Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied