Add SELinux support for pods

All containers within a Pod need to run with the same SELinux
label, unless overwritten by the user.

Also added a bunch of SELinux tests to make sure selinux labels
are correct on namespaces.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

1 files changed, 16 insertions, 0 deletions

diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 2ac3b376f..147450703 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -11,6 +11,7 @@ import (
 	"github.com/containers/podman/v2/pkg/specgen"
 	"github.com/containers/podman/v2/pkg/util"
 	"github.com/containers/storage"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -272,6 +273,21 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 	// Security options
 	if len(s.SelinuxOpts) > 0 {
 		options = append(options, libpod.WithSecLabels(s.SelinuxOpts))
+	} else {
+		if pod != nil {
+			// duplicate the security options from the pod
+			processLabel, err := pod.ProcessLabel()
+			if err != nil {
+				return nil, err
+			}
+			if processLabel != "" {
+				selinuxOpts, err := label.DupSecOpt(processLabel)
+				if err != nil {
+					return nil, err
+				}
+				options = append(options, libpod.WithSecLabels(selinuxOpts))
+			}
+		}
 	}
 	options = append(options, libpod.WithPrivileged(s.Privileged))