Fix handling of user specified container labels

Currently we override the SELinux labels specified by the user
if the container is runing a kata container or systemd container.

This PR fixes to use the label specified by the user.

Fixes: https://github.com/containers/podman/issues/11100

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

1 files changed, 12 insertions, 0 deletions

diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 4ef9c8b30..5ee0e0715 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -50,6 +50,18 @@ function check_label() {
     check_label "--systemd=always" "container_init_t"
 }
 
+@test "podman selinux: init container with --security-opt type" {
+    check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
+}
+
+@test "podman selinux: init container with --security-opt level&type" {
+    check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
+}
+
+@test "podman selinux: init container with --security-opt level" {
+    check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t"  "s0:c1,c2"
+}
+
 @test "podman selinux: pid=host" {
     # FIXME this test fails when run rootless with runc:
     #   Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied