Add SELinux support for pods

All containers within a Pod need to run with the same SELinux label, unless overwritten by the user. Also added a bunch of SELinux tests to make sure selinux labels are correct on namespaces. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
author: Daniel J Walsh <dwalsh@redhat.com> 2020-10-02 12:02:16 -0400
committer: Daniel J Walsh <dwalsh@redhat.com> 2020-10-02 15:14:18 -0400
commit: d0f3c17912643aca73372aa87f3eadf757621ccc (patch)
tree: 90c45920faf9cbdf589b888101dbf8dd98845cd7 /libpod/pod.go
parent: d4e97b35c2fa9e27b78c14e9ce7f3272d7db7cbf (diff)
download: podman-d0f3c17912643aca73372aa87f3eadf757621ccc.tar.gz
podman-d0f3c17912643aca73372aa87f3eadf757621ccc.tar.bz2
podman-d0f3c17912643aca73372aa87f3eadf757621ccc.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/libpod/pod.go b/libpod/pod.go
index a5a0532be..c8f62ca18 100644
--- a/libpod/pod.go
+++ b/libpod/pod.go
@@ -327,3 +327,21 @@ func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerSta
 	}
 	return newContainerStats, nil
 }
+
+// ProcessLabel returns the SELinux label associated with the pod
+func (p *Pod) ProcessLabel() (string, error) {
+	if !p.HasInfraContainer() {
+		return "", nil
+	}
+
+	id, err := p.InfraContainerID()
+	if err != nil {
+		return "", err
+	}
+
+	ctr, err := p.runtime.state.Container(id)
+	if err != nil {
+		return "", err
+	}
+	return ctr.ProcessLabel(), nil
+}
author	Daniel J Walsh <dwalsh@redhat.com>	2020-10-02 12:02:16 -0400
committer	Daniel J Walsh <dwalsh@redhat.com>	2020-10-02 15:14:18 -0400
commit	d0f3c17912643aca73372aa87f3eadf757621ccc (patch)
tree	90c45920faf9cbdf589b888101dbf8dd98845cd7 /libpod/pod.go
parent	d4e97b35c2fa9e27b78c14e9ce7f3272d7db7cbf (diff)
download	podman-d0f3c17912643aca73372aa87f3eadf757621ccc.tar.gz podman-d0f3c17912643aca73372aa87f3eadf757621ccc.tar.bz2 podman-d0f3c17912643aca73372aa87f3eadf757621ccc.zip