summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-03-29 05:47:02 -0700
committerGitHub <noreply@github.com>2019-03-29 05:47:02 -0700
commit9b789359f17f22bdd2ed49087c23eebf39f338f3 (patch)
tree4ccdf7b1acd720ea0b0c4c92804afd63d9bd5b1f
parent376a89c7a417e90bc667e11f7264e4a7ea950bfe (diff)
parent0d0ad59641a308450d694d4c2fb95303c64fabf8 (diff)
downloadpodman-9b789359f17f22bdd2ed49087c23eebf39f338f3.tar.gz
podman-9b789359f17f22bdd2ed49087c23eebf39f338f3.tar.bz2
podman-9b789359f17f22bdd2ed49087c23eebf39f338f3.zip
Merge pull request #2575 from haircommander/hotfix_play_kube
Default to SELinux private label for play kube mounts
-rw-r--r--cmd/podman/play_kube.go7
-rw-r--r--docs/podman-play-kube.1.md2
-rw-r--r--libpod/runtime_volume_linux.go12
-rw-r--r--libpod/util_linux.go21
-rw-r--r--libpod/util_unsupported.go6
5 files changed, 37 insertions, 11 deletions
diff --git a/cmd/podman/play_kube.go b/cmd/podman/play_kube.go
index 10221a339..0429a40eb 100644
--- a/cmd/podman/play_kube.go
+++ b/cmd/podman/play_kube.go
@@ -168,7 +168,13 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
return errors.Errorf("Error creating HostPath %s at %s", volume.Name, hostPath.Path)
}
}
+ // unconditionally label a newly created volume as private
+ if err := libpod.LabelVolumePath(hostPath.Path, false); err != nil {
+ return errors.Wrapf(err, "Error giving %s a label", hostPath.Path)
+ }
+ break
case v1.HostPathDirectory:
+ case v1.HostPathUnset:
// do nothing here because we will verify the path exists in validateVolumeHostDir
break
default:
@@ -178,7 +184,6 @@ func playKubeYAMLCmd(c *cliconfig.KubePlayValues) error {
if err := shared.ValidateVolumeHostDir(hostPath.Path); err != nil {
return errors.Wrapf(err, "Error in parsing HostPath in YAML")
}
- fmt.Println(volume.Name)
volumes[volume.Name] = hostPath.Path
}
diff --git a/docs/podman-play-kube.1.md b/docs/podman-play-kube.1.md
index a9af961cd..a38abf35a 100644
--- a/docs/podman-play-kube.1.md
+++ b/docs/podman-play-kube.1.md
@@ -22,6 +22,8 @@ the ID of the new Pod is output.
Ideally the input file would be one created by Podman (see podman-generate-kube(1)). This would guarantee a smooth import and expected results.
+Note: HostPath volume types created by play kube will be given an SELinux private label (Z)
+
# OPTIONS:
**--authfile**
diff --git a/libpod/runtime_volume_linux.go b/libpod/runtime_volume_linux.go
index b51bb8213..5767a99e7 100644
--- a/libpod/runtime_volume_linux.go
+++ b/libpod/runtime_volume_linux.go
@@ -10,7 +10,6 @@ import (
"github.com/containers/libpod/libpod/events"
"github.com/containers/storage/pkg/stringid"
- "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -56,15 +55,8 @@ func (r *Runtime) newVolume(ctx context.Context, options ...VolumeCreateOption)
if err := os.MkdirAll(fullVolPath, 0755); err != nil {
return nil, errors.Wrapf(err, "error creating volume directory %q", fullVolPath)
}
- _, mountLabel, err := label.InitLabels([]string{})
- if err != nil {
- return nil, errors.Wrapf(err, "error getting default mountlabels")
- }
- if err := label.ReleaseLabel(mountLabel); err != nil {
- return nil, errors.Wrapf(err, "error releasing label %q", mountLabel)
- }
- if err := label.Relabel(fullVolPath, mountLabel, true); err != nil {
- return nil, errors.Wrapf(err, "error setting selinux label to %q", fullVolPath)
+ if err := LabelVolumePath(fullVolPath, true); err != nil {
+ return nil, err
}
volume.config.MountPoint = fullVolPath
diff --git a/libpod/util_linux.go b/libpod/util_linux.go
index 30e2538c3..a801df2ee 100644
--- a/libpod/util_linux.go
+++ b/libpod/util_linux.go
@@ -9,6 +9,7 @@ import (
"github.com/containerd/cgroups"
"github.com/containers/libpod/pkg/util"
spec "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/opencontainers/selinux/go-selinux/label"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -91,3 +92,23 @@ func GetV1CGroups(excludes []string) cgroups.Hierarchy {
return filtered, nil
}
}
+
+// LabelVolumePath takes a mount path for a volume and gives it an
+// selinux label of either shared or not
+func LabelVolumePath(path string, shared bool) error {
+ _, mountLabel, err := label.InitLabels([]string{})
+ if err != nil {
+ return errors.Wrapf(err, "error getting default mountlabels")
+ }
+ if err := label.ReleaseLabel(mountLabel); err != nil {
+ return errors.Wrapf(err, "error releasing label %q", mountLabel)
+ }
+ if err := label.Relabel(path, mountLabel, shared); err != nil {
+ permString := "private"
+ if shared {
+ permString = "shared"
+ }
+ return errors.Wrapf(err, "error setting selinux label for %s to %q as %s", path, mountLabel, permString)
+ }
+ return nil
+}
diff --git a/libpod/util_unsupported.go b/libpod/util_unsupported.go
index d598b465f..940006e69 100644
--- a/libpod/util_unsupported.go
+++ b/libpod/util_unsupported.go
@@ -21,3 +21,9 @@ func deleteSystemdCgroup(path string) error {
func assembleSystemdCgroupName(baseSlice, newSlice string) (string, error) {
return "", errors.Wrapf(ErrOSNotSupported, "cgroups are not supported on non-linux OSes")
}
+
+// LabelVolumePath takes a mount path for a volume and gives it an
+// selinux label of either shared or not
+func LabelVolumePath(path string, shared bool) error {
+ return ErrNotImplemented
+}