summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-08-02 16:33:33 -0400
committerMatthew Heon <matthew.heon@pm.me>2021-08-10 20:29:38 -0400
commitcb7f0a3025437b6d00c4e4eca903f0452ba3d711 (patch)
tree22b593e5971cac9da743d6fe5a13f3db225c9fb3 /test
parentd749770fe2b11b7d0677824edc85f88c5f96245d (diff)
downloadpodman-cb7f0a3025437b6d00c4e4eca903f0452ba3d711.tar.gz
podman-cb7f0a3025437b6d00c4e4eca903f0452ba3d711.tar.bz2
podman-cb7f0a3025437b6d00c4e4eca903f0452ba3d711.zip
Fix handling of user specified container labels
Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/system/410-selinux.bats12
1 files changed, 12 insertions, 0 deletions
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
index 4ef9c8b30..5ee0e0715 100644
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@@ -50,6 +50,18 @@ function check_label() {
check_label "--systemd=always" "container_init_t"
}
+@test "podman selinux: init container with --security-opt type" {
+ check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
+}
+
+@test "podman selinux: init container with --security-opt level&type" {
+ check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
+}
+
+@test "podman selinux: init container with --security-opt level" {
+ check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t" "s0:c1,c2"
+}
+
@test "podman selinux: pid=host" {
# FIXME this test fails when run rootless with runc:
# Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied