diff options
| author | Adrian Reber <areber@redhat.com> | 2019-06-25 12:36:05 +0000 |
|---|---|---|
| committer | Adrian Reber <areber@redhat.com> | 2019-06-25 14:55:11 +0200 |
| commit | 220e169cc1f04a17b25d7af0994715f75be0d249 (patch) | |
| tree | 1888ec5429c37d71789b4aff311d5957e96f5090 | |
| parent | 94e2a0cd63935708815bfaa3399fb57210d94065 (diff) | |
| download | podman-220e169cc1f04a17b25d7af0994715f75be0d249.tar.gz podman-220e169cc1f04a17b25d7af0994715f75be0d249.tar.bz2 podman-220e169cc1f04a17b25d7af0994715f75be0d249.zip | |
Provide correct SELinux mount-label for restored container
Restoring a container from a checkpoint archive creates a complete
new root file-system. This file-system needs to have the correct SELinux
label or most things in that restored container will fail. Running
processes are not as problematic as newly exec()'d process (internally
or via 'podman exec').
This patch tells the storage setup which label should be used to mount
the container's root file-system.
Signed-off-by: Adrian Reber <areber@redhat.com>
| -rw-r--r-- | libpod/container_internal.go | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 56fd27afb..5d824908c 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -351,6 +351,16 @@ func (c *Container) setupStorage(ctx context.Context) error { }, LabelOpts: c.config.LabelOpts, } + if c.restoreFromCheckpoint { + // If restoring from a checkpoint, the root file-system + // needs to be mounted with the same SELinux labels as + // it was mounted previously. + if options.Flags == nil { + options.Flags = make(map[string]interface{}) + } + options.Flags["ProcessLabel"] = c.config.ProcessLabel + options.Flags["MountLabel"] = c.config.MountLabel + } if c.config.Privileged { privOpt := func(opt string) bool { for _, privopt := range []string{"nodev", "nosuid", "noexec"} { |