diff options
| -rw-r--r-- | cmd/podman/create.go | 4 | ||||
| -rw-r--r-- | test/e2e/run_selinux_test.go | 87 | ||||
| -rw-r--r-- | test/e2e/run_test.go | 54 |
3 files changed, 90 insertions, 55 deletions
diff --git a/cmd/podman/create.go b/cmd/podman/create.go index fc0c71536..574137271 100644 --- a/cmd/podman/create.go +++ b/cmd/podman/create.go @@ -784,7 +784,9 @@ func parseCreateOpts(ctx context.Context, c *cli.Context, runtime *libpod.Runtim VolumesFrom: c.StringSlice("volumes-from"), } - if !config.Privileged { + if config.Privileged { + config.LabelOpts = label.DisableSecOpt() + } else { if err := parseSecurityOpt(config, c.StringSlice("security-opt")); err != nil { return nil, err } diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go new file mode 100644 index 000000000..ebe6604cc --- /dev/null +++ b/test/e2e/run_selinux_test.go @@ -0,0 +1,87 @@ +package integration + +import ( + "fmt" + "os" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + "github.com/opencontainers/selinux/go-selinux" +) + +var _ = Describe("Podman run", func() { + var ( + tempdir string + err error + podmanTest PodmanTest + ) + + BeforeEach(func() { + tempdir, err = CreateTempDirInTempDir() + if err != nil { + os.Exit(1) + } + podmanTest = PodmanCreate(tempdir) + podmanTest.RestoreAllArtifacts() + if !selinux.GetEnabled() { + Skip("SELinux not enabled") + } + }) + + AfterEach(func() { + podmanTest.Cleanup() + f := CurrentGinkgoTestDescription() + timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds()) + GinkgoWriter.Write([]byte(timedResult)) + }) + + It("podman run selinux", func() { + session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("container_t") + Expect(match).Should(BeTrue()) + }) + + It("podman run selinux grep test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("s0:c1,c2") + Expect(match).Should(BeTrue()) + }) + + It("podman run selinux disable test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + + It("podman run selinux type check test", func() { + session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match1, _ := session.GrepString("container_t") + match2, _ := session.GrepString("svirt_lxc_net_t") + Expect(match1 || match2).Should(BeTrue()) + }) + + It("podman run selinux type setup test", func() { + session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + + It("podman privileged selinux", func() { + session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("spc_t") + Expect(match).Should(BeTrue()) + }) + +}) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 777b49cd8..a443d4ca5 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -10,7 +10,6 @@ import ( "github.com/mrunalp/fileutils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "github.com/opencontainers/selinux/go-selinux" ) var _ = Describe("Podman run", func() { @@ -85,59 +84,6 @@ var _ = Describe("Podman run", func() { Expect(session.ExitCode()).To(Equal(0)) }) - It("podman run selinux grep test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("s0:c1,c2") - Expect(match).Should(BeTrue()) - }) - - It("podman run selinux disable test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("spc_t") - Expect(match).Should(BeTrue()) - }) - - It("podman run selinux type check test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match1, _ := session.GrepString("container_t") - match2, _ := session.GrepString("svirt_lxc_net_t") - Expect(match1 || match2).Should(BeTrue()) - }) - - It("podman run selinux type setup test", func() { - if !selinux.GetEnabled() { - Skip("SELinux not enabled") - } - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("spc_t") - Expect(match).Should(BeTrue()) - }) - - It("podman run seccomp undefine test", func() { - session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", ALPINE, "echo", "hello"}) - session.WaitWithDefaultTimeout() - Expect(session.ExitCode()).To(Equal(0)) - match, _ := session.GrepString("hello") - Expect(match).Should(BeTrue()) - }) - It("podman run seccomp test", func() { jsonFile := filepath.Join(podmanTest.TempDir, "seccomp.json") in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`) |