Add new field to libpod to indicate whether or not to use labelling

Also update some missing fields libpod.conf obtions in man pages.

Fix sort order of security options and add a note about disabling
labeling.

When a process requests a new label.  libpod needs to reserve all
labels to make sure that their are no conflicts.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1406
Approved by: mheon

1 files changed, 22 insertions, 0 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index f9e161cb3..b77beaf64 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -98,6 +98,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		}
 	}
 
+	// Check if the spec file mounts contain the label Relabel flags z or Z.
+	// If they do, relabel the source directory and then remove the option.
+	for _, m := range g.Mounts() {
+		var options []string
+		for _, o := range m.Options {
+			switch o {
+			case "z":
+				fallthrough
+			case "Z":
+				if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
+					return nil, errors.Wrapf(err, "relabel failed %q", m.Source)
+				}
+
+			default:
+				options = append(options, o)
+			}
+		}
+		m.Options = options
+	}
+
+	g.SetProcessSelinuxLabel(c.ProcessLabel())
+	g.SetLinuxMountLabel(c.MountLabel())
 	// Remove the default /dev/shm mount to ensure we overwrite it
 	g.RemoveMount("/dev/shm")