Skip to content

Commit

Permalink
Merge pull request containers#11101 from rhatdan/selinux
Browse files Browse the repository at this point in the history
Fix handling of user specified container labels
  • Loading branch information
openshift-ci[bot] authored Aug 3, 2021
2 parents d25f8d0 + 985c717 commit e93661f
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 13 deletions.
36 changes: 23 additions & 13 deletions libpod/container_internal.go
Original file line number Diff line number Diff line change
Expand Up @@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.config.IDMappings.UIDMap = containerInfo.UIDMap
c.config.IDMappings.GIDMap = containerInfo.GIDMap

processLabel := containerInfo.ProcessLabel
switch {
case c.ociRuntime.SupportsKVM():
processLabel, err = selinux.KVMLabel(processLabel)
if err != nil {
return err
}
case c.config.Systemd:
processLabel, err = selinux.InitLabel(processLabel)
if err != nil {
return err
}
processLabel, err := c.processLabel(containerInfo.ProcessLabel)
if err != nil {
return err
}

c.config.ProcessLabel = processLabel
c.config.MountLabel = containerInfo.MountLabel
c.config.StaticDir = containerInfo.Dir
Expand Down Expand Up @@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
return nil
}

func (c *Container) processLabel(processLabel string) (string, error) {
if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
return processLabel, nil
}
ctrSpec, err := c.specFromState()
if err != nil {
return "", err
}
label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
if !ok || !strings.Contains(label, "type:") {
switch {
case c.ociRuntime.SupportsKVM():
return selinux.KVMLabel(processLabel)
case c.config.Systemd:
return selinux.InitLabel(processLabel)
}
}
return processLabel, nil
}

// Tear down a container's storage prior to removal
func (c *Container) teardownStorage() error {
if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {
Expand Down
12 changes: 12 additions & 0 deletions test/system/410-selinux.bats
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,18 @@ function check_label() {
check_label "--systemd=always" "container_init_t"
}

@test "podman selinux: init container with --security-opt type" {
check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
}

@test "podman selinux: init container with --security-opt level&type" {
check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
}

@test "podman selinux: init container with --security-opt level" {
check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2"
}

@test "podman selinux: pid=host" {
# FIXME this test fails when run rootless with runc:
# Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied
Expand Down

0 comments on commit e93661f

Please sign in to comment.