Add 'relabel' to --mount options

Currently if a user specifies a --mount option, their is no way to tell SELinux
to relabel the mount point.

This patch addes the relabel=shared and relabel=private options.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

1 files changed, 17 insertions, 1 deletions

diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index bc0eaad6d..cc091dcee 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -389,7 +389,7 @@ func getBindMount(args []string) (spec.Mount, error) {
 		Type: TypeBind,
 	}
 
-	var setSource, setDest, setRORW, setSuid, setDev, setExec bool
+	var setSource, setDest, setRORW, setSuid, setDev, setExec, setRelabel bool
 
 	for _, val := range args {
 		kv := strings.Split(val, "=")
@@ -467,6 +467,22 @@ func getBindMount(args []string) (spec.Mount, error) {
 			}
 			newMount.Destination = kv[1]
 			setDest = true
+		case "relabel":
+			if setRelabel {
+				return newMount, errors.Wrapf(optionArgError, "cannot pass 'relabel' option more than once")
+			}
+			setRelabel = true
+			if len(kv) != 2 {
+				return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+			}
+			switch kv[1] {
+			case "private":
+				newMount.Options = append(newMount.Options, "z")
+			case "shared":
+				newMount.Options = append(newMount.Options, "Z")
+			default:
+				return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+			}
 		default:
 			return newMount, errors.Wrapf(util.ErrBadMntOption, kv[0])
 		}