summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorMatthew Heon <mheon@redhat.com>2021-05-13 14:41:38 -0400
committerMatthew Heon <mheon@redhat.com>2021-05-17 09:10:59 -0400
commit6efca0bbac4346be1c9693c5ef5c592f2fc21035 (patch)
tree5bb6d35178cb634b982cf013c1f59ad539711f7d /test
parent3bdbe3ce969ac510b8d4ee44da4578da9fed659c (diff)
downloadpodman-6efca0bbac4346be1c9693c5ef5c592f2fc21035.tar.gz
podman-6efca0bbac4346be1c9693c5ef5c592f2fc21035.tar.bz2
podman-6efca0bbac4346be1c9693c5ef5c592f2fc21035.zip
Ensure that :Z/:z/:U can be used with named volumes
Docker allows relabeling of any volume passed in via -v, even including named volumes. This normally isn't an issue at all, given named volumes get the right label for container access automatically, but this becomes an issue when volume plugins are involved - these aren't managed by Podman, and may well be unaware of SELinux labelling. We could automatically relabel these volumes on creation, but I'm still reluctant to do that (feels like it could break things). Instead, let's allow :z and :Z to be used with named volumes, so users can explicitly request relabel of a volume plugin-backed volume. We also get :U at the same time. I don't see any real need for it but it also doesn't seem to hurt, so I didn't bother disabling it. Fixes #10273 Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'test')
-rw-r--r--test/e2e/run_selinux_test.go8
1 files changed, 8 insertions, 0 deletions
diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go
index 6abe152a9..2886f06c1 100644
--- a/test/e2e/run_selinux_test.go
+++ b/test/e2e/run_selinux_test.go
@@ -343,4 +343,12 @@ var _ = Describe("Podman run", func() {
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(ContainSubstring("container_init_t"))
})
+
+ It("podman relabels named volume with :Z", func() {
+ session := podmanTest.Podman([]string{"run", "-v", "testvol:/test1/test:Z", fedoraMinimal, "ls", "-alZ", "/test1"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ match, _ := session.GrepString(":s0:")
+ Expect(match).Should(BeTrue())
+ })
})