diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2020-10-02 12:02:16 -0400 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2020-10-02 15:14:18 -0400 |
| commit | d0f3c17912643aca73372aa87f3eadf757621ccc (patch) | |
| tree | 90c45920faf9cbdf589b888101dbf8dd98845cd7 /libpod | |
| parent | d4e97b35c2fa9e27b78c14e9ce7f3272d7db7cbf (diff) | |
| download | podman-d0f3c17912643aca73372aa87f3eadf757621ccc.tar.gz podman-d0f3c17912643aca73372aa87f3eadf757621ccc.tar.bz2 podman-d0f3c17912643aca73372aa87f3eadf757621ccc.zip | |
Add SELinux support for pods
All containers within a Pod need to run with the same SELinux
label, unless overwritten by the user.
Also added a bunch of SELinux tests to make sure selinux labels
are correct on namespaces.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/pod.go | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/libpod/pod.go b/libpod/pod.go index a5a0532be..c8f62ca18 100644 --- a/libpod/pod.go +++ b/libpod/pod.go @@ -327,3 +327,21 @@ func (p *Pod) GetPodStats(previousContainerStats map[string]*define.ContainerSta } return newContainerStats, nil } + +// ProcessLabel returns the SELinux label associated with the pod +func (p *Pod) ProcessLabel() (string, error) { + if !p.HasInfraContainer() { + return "", nil + } + + id, err := p.InfraContainerID() + if err != nil { + return "", err + } + + ctr, err := p.runtime.state.Container(id) + if err != nil { + return "", err + } + return ctr.ProcessLabel(), nil +} |