Support automatic labeling of kube volumes

Allow users to specify options on the volume mount path.
This will trigger relabels of user specifies :z,:Z
Also will handle User Relabels if the user specifies :U

Fixes: https://github.com/containers/podman/issues/9371

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

1 files changed, 24 insertions, 2 deletions

diff --git a/test/system/700-play.bats b/test/system/700-play.bats
index 8fa96741c..bcd8cf939 100644
--- a/test/system/700-play.bats
+++ b/test/system/700-play.bats
@@ -51,18 +51,40 @@ spec:
       seLinuxOptions:
          level: "s0:c1,c2"
       readOnlyRootFilesystem: false
+    volumeMounts:
+    - mountPath: /testdir:z
+      name: home-podman-testdir
     workingDir: /
+  volumes:
+  - hostPath:
+      path: TESTDIR
+      type: Directory
+    name: home-podman-testdir
 status: {}
 "
 
+RELABEL="system_u:object_r:container_file_t:s0"
+
 @test "podman play with stdin" {
-    echo "$testYaml" > $PODMAN_TMPDIR/test.yaml
+    TESTDIR=$PODMAN_TMPDIR/testdir
+    mkdir -p $TESTDIR
+    echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
     run_podman play kube - < $PODMAN_TMPDIR/test.yaml
+    if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then
+       run ls -Zd $TESTDIR
+       is "$output" ${RELABEL} "selinux relabel should have happened"
+    fi
     run_podman pod rm -f test_pod
 }
 
 @test "podman play" {
-    echo "$testYaml" > $PODMAN_TMPDIR/test.yaml
+    TESTDIR=$PODMAN_TMPDIR/testdir
+    mkdir -p $TESTDIR
+    echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
     run_podman play kube $PODMAN_TMPDIR/test.yaml
+    if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then
+       run ls -Zd $TESTDIR
+       is "$output" ${RELABEL} "selinux relabel should have happened"
+    fi
     run_podman pod rm -f test_pod
 }