Unset SocketLabel after system finishes checkpointing

This should fix the SELinux issue we are seeing with talking to
/run/systemd/private.

Fixes: https://github.com/containers/podman/issues/12362

Also unset the XDG_RUNTIME_DIR if set, since we don't know when running
as a service if this will cause issue.s

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

2 files changed, 28 insertions, 8 deletions

diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index baf05189c..3aab6864a 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -777,9 +777,6 @@ func (r *ConmonOCIRuntime) AttachResize(ctr *Container, newSize define.TerminalS
 
 // CheckpointContainer checkpoints the given container.
 func (r *ConmonOCIRuntime) CheckpointContainer(ctr *Container, options ContainerCheckpointOptions) (int64, error) {
-	if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
-		return 0, err
-	}
 	// imagePath is used by CRIU to store the actual checkpoint files
 	imagePath := ctr.CheckpointPath()
 	if options.PreCheckPoint {
@@ -823,14 +820,37 @@ func (r *ConmonOCIRuntime) CheckpointContainer(ctr *Container, options Container
 	if err != nil {
 		return 0, err
 	}
+	args = append(args, ctr.ID())
+	logrus.Debugf("the args to checkpoint: %s %s", r.path, strings.Join(args, " "))
+
+	oldRuntimeDir, oldRuntimeDirSet := os.LookupEnv("XDG_RUNTIME_DIR")
 	if err = os.Setenv("XDG_RUNTIME_DIR", runtimeDir); err != nil {
 		return 0, errors.Wrapf(err, "cannot set XDG_RUNTIME_DIR")
 	}
-	args = append(args, ctr.ID())
-	logrus.Debugf("the args to checkpoint: %s %s", r.path, strings.Join(args, " "))
+	runtime.LockOSThread()
+	if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
+		return 0, err
+	}
+	defer func() {
+		if oldRuntimeDirSet {
+			if err := os.Setenv("XDG_RUNTIME_DIR", oldRuntimeDir); err != nil {
+				logrus.Warnf("cannot resset XDG_RUNTIME_DIR: %v", err)
+			}
+		} else {
+			if err := os.Unsetenv("XDG_RUNTIME_DIR"); err != nil {
+				logrus.Warnf("cannot unset XDG_RUNTIME_DIR: %v", err)
+			}
+		}
+	}()
 
 	runtimeCheckpointStarted := time.Now()
 	err = utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, args...)
+	// Ignore error returned from SetSocketLabel("") call,
+	// can't recover.
+	if labelErr := label.SetSocketLabel(""); labelErr != nil {
+		logrus.Errorf("Unable to reset socket label: %q", labelErr)
+	}
+	runtime.UnlockOSThread()
 
 	runtimeCheckpointDuration := func() int64 {
 		if options.PrintStats {
@@ -1445,7 +1465,7 @@ func startCommandGivenSelinux(cmd *exec.Cmd, ctr *Container) error {
 	// Ignore error returned from SetProcessLabel("") call,
 	// can't recover.
 	if labelErr := label.SetProcessLabel(""); labelErr != nil {
-		logrus.Errorf("Unable to set process label: %q", err)
+		logrus.Errorf("Unable to set process label: %q", labelErr)
 	}
 	runtime.UnlockOSThread()
 	return err
diff --git a/test/system/600-completion.bats b/test/system/600-completion.bats
index ac934732e..f580fc2fe 100644
--- a/test/system/600-completion.bats
+++ b/test/system/600-completion.bats
@@ -258,10 +258,10 @@ function _check_completion_end() {
     # create pods for each state
     run_podman pod create --name created-$random_pod_name
     run_podman pod create --name running-$random_pod_name
-    run_podman run -d --name running-$random_pod_name-con --pod running-$random_pod_name $IMAGE top
     run_podman pod create --name degraded-$random_pod_name
-    run_podman run -d --name degraded-$random_pod_name-con --pod degraded-$random_pod_name $IMAGE echo degraded
     run_podman pod create --name exited-$random_pod_name
+    run_podman run -d --name running-$random_pod_name-con --pod running-$random_pod_name $IMAGE top
+    run_podman run -d --name degraded-$random_pod_name-con --pod degraded-$random_pod_name $IMAGE echo degraded
     run_podman run -d --name exited-$random_pod_name-con --pod exited-$random_pod_name $IMAGE echo exited
     run_podman pod stop exited-$random_pod_name