summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-08-02 16:33:33 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2021-08-02 17:08:08 -0400
commit985c717085be3692bb25b498cdc8016ac00d5640 (patch)
tree5f4625f03a32b52cd4aba585f7a072a48b53a0d5 /libpod
parent58cdb3236f7ac4940eaa265c83f25e68eacf0b42 (diff)
downloadpodman-985c717085be3692bb25b498cdc8016ac00d5640.tar.gz
podman-985c717085be3692bb25b498cdc8016ac00d5640.tar.bz2
podman-985c717085be3692bb25b498cdc8016ac00d5640.zip
Fix handling of user specified container labels
Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal.go36
1 files changed, 23 insertions, 13 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index e7694227a..8ffcccf4c 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
c.config.IDMappings.UIDMap = containerInfo.UIDMap
c.config.IDMappings.GIDMap = containerInfo.GIDMap
- processLabel := containerInfo.ProcessLabel
- switch {
- case c.ociRuntime.SupportsKVM():
- processLabel, err = selinux.KVMLabel(processLabel)
- if err != nil {
- return err
- }
- case c.config.Systemd:
- processLabel, err = selinux.InitLabel(processLabel)
- if err != nil {
- return err
- }
+ processLabel, err := c.processLabel(containerInfo.ProcessLabel)
+ if err != nil {
+ return err
}
-
c.config.ProcessLabel = processLabel
c.config.MountLabel = containerInfo.MountLabel
c.config.StaticDir = containerInfo.Dir
@@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
return nil
}
+func (c *Container) processLabel(processLabel string) (string, error) {
+ if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
+ return processLabel, nil
+ }
+ ctrSpec, err := c.specFromState()
+ if err != nil {
+ return "", err
+ }
+ label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
+ if !ok || !strings.Contains(label, "type:") {
+ switch {
+ case c.ociRuntime.SupportsKVM():
+ return selinux.KVMLabel(processLabel)
+ case c.config.Systemd:
+ return selinux.InitLabel(processLabel)
+ }
+ }
+ return processLabel, nil
+}
+
// Tear down a container's storage prior to removal
func (c *Container) teardownStorage() error {
if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {