aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2018-10-02 09:07:50 -0700
committerGitHub <noreply@github.com>2018-10-02 09:07:50 -0700
commit506ae3650b906e920b0b04d5f1bbe15873a90da1 (patch)
treea07b28e4da5fb1e1a3416d7ac14b9809dacdce2e
parent89c5804fe0ca3ece7587adb5d5c974dbc494f721 (diff)
parent86d435f32fc4230481d789499973c07a5b5ae78d (diff)
downloadpodman-506ae3650b906e920b0b04d5f1bbe15873a90da1.tar.gz
podman-506ae3650b906e920b0b04d5f1bbe15873a90da1.tar.bz2
podman-506ae3650b906e920b0b04d5f1bbe15873a90da1.zip
Merge pull request #1576 from rhatdan/label
Disable SELinux labeling if --privileged
-rw-r--r--cmd/podman/create.go4
-rw-r--r--test/e2e/run_selinux_test.go87
-rw-r--r--test/e2e/run_test.go54
3 files changed, 90 insertions, 55 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index fc0c71536..574137271 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -784,7 +784,9 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim
VolumesFrom: c.StringSlice("volumes-from"),
}
- if !config.Privileged {
+ if config.Privileged {
+ config.LabelOpts = label.DisableSecOpt()
+ } else {
if err := parseSecurityOpt(config, c.StringSlice("security-opt")); err != nil {
return nil, err
}
diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go
new file mode 100644
index 000000000..ebe6604cc
--- /dev/null
+++ b/test/e2e/run_selinux_test.go
@@ -0,0 +1,87 @@
+package integration
+
+import (
+ "fmt"
+ "os"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+ "github.com/opencontainers/selinux/go-selinux"
+)
+
+var _ = Describe("Podman run", func() {
+ var (
+ tempdir string
+ err error
+ podmanTest PodmanTest
+ )
+
+ BeforeEach(func() {
+ tempdir, err = CreateTempDirInTempDir()
+ if err != nil {
+ os.Exit(1)
+ }
+ podmanTest = PodmanCreate(tempdir)
+ podmanTest.RestoreAllArtifacts()
+ if !selinux.GetEnabled() {
+ Skip("SELinux not enabled")
+ }
+ })
+
+ AfterEach(func() {
+ podmanTest.Cleanup()
+ f := CurrentGinkgoTestDescription()
+ timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds())
+ GinkgoWriter.Write([]byte(timedResult))
+ })
+
+ It("podman run selinux", func() {
+ session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("container_t")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman run selinux grep test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("s0:c1,c2")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman run selinux disable test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("spc_t")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman run selinux type check test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match1, _ := session.GrepString("container_t")
+ match2, _ := session.GrepString("svirt_lxc_net_t")
+ Expect(match1 || match2).Should(BeTrue())
+ })
+
+ It("podman run selinux type setup test", func() {
+ session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("spc_t")
+ Expect(match).Should(BeTrue())
+ })
+
+ It("podman privileged selinux", func() {
+ session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString("spc_t")
+ Expect(match).Should(BeTrue())
+ })
+
+})
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 777b49cd8..a443d4ca5 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -10,7 +10,6 @@ import (
"github.com/mrunalp/fileutils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
- "github.com/opencontainers/selinux/go-selinux"
)
var _ = Describe("Podman run", func() {
@@ -85,59 +84,6 @@ var _ = Describe("Podman run", func() {
Expect(session.ExitCode()).To(Equal(0))
})
- It("podman run selinux grep test", func() {
- if !selinux.GetEnabled() {
- Skip("SELinux not enabled")
- }
- session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"})
- session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(Equal(0))
- match, _ := session.GrepString("s0:c1,c2")
- Expect(match).Should(BeTrue())
- })
-
- It("podman run selinux disable test", func() {
- if !selinux.GetEnabled() {
- Skip("SELinux not enabled")
- }
- session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
- session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(Equal(0))
- match, _ := session.GrepString("spc_t")
- Expect(match).Should(BeTrue())
- })
-
- It("podman run selinux type check test", func() {
- if !selinux.GetEnabled() {
- Skip("SELinux not enabled")
- }
- session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
- session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(Equal(0))
- match1, _ := session.GrepString("container_t")
- match2, _ := session.GrepString("svirt_lxc_net_t")
- Expect(match1 || match2).Should(BeTrue())
- })
-
- It("podman run selinux type setup test", func() {
- if !selinux.GetEnabled() {
- Skip("SELinux not enabled")
- }
- session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
- session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(Equal(0))
- match, _ := session.GrepString("spc_t")
- Expect(match).Should(BeTrue())
- })
-
- It("podman run seccomp undefine test", func() {
- session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"})
- session.WaitWithDefaultTimeout()
- Expect(session.ExitCode()).To(Equal(0))
- match, _ := session.GrepString("hello")
- Expect(match).Should(BeTrue())
- })
-
It("podman run seccomp test", func() {
jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json")
in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)