1 files changed, 21 insertions, 11 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c6839ffd0..7d57e8965 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -378,14 +378,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 			case "z":
 				fallthrough
 			case "Z":
-				if c.MountLabel() != "" {
-					if c.ProcessLabel() != "" {
-						if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
-							return nil, err
-						}
-					} else {
-						logrus.Infof("Not relabeling volume %q in container %s as SELinux is disabled", m.Source, c.ID())
-					}
+				if err := label.Relabel(m.Source, c.MountLabel(), label.IsShared(o)); err != nil {
+					return nil, err
 				}
 
 			default:
@@ -466,11 +460,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// Add image volumes as overlay mounts
 	for _, volume := range c.config.ImageVolumes {
 		// Mount the specified image.
-		img, err := c.runtime.ImageRuntime().NewFromLocal(volume.Source)
+		img, _, err := c.runtime.LibimageRuntime().LookupImage(volume.Source, nil)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error creating image volume %q:%q", volume.Source, volume.Dest)
 		}
-		mountPoint, err := img.Mount(nil, "")
+		mountPoint, err := img.Mount(ctx, nil, "")
 		if err != nil {
 			return nil, errors.Wrapf(err, "error mounting image volume %q:%q", volume.Source, volume.Dest)
 		}
@@ -2230,6 +2224,17 @@ func (c *Container) generatePasswdAndGroup() (string, string, error) {
 	return passwdPath, groupPath, nil
 }
 
+func isRootlessCgroupSet(cgroup string) bool {
+	// old versions of podman were setting the CgroupParent to CgroupfsDefaultCgroupParent
+	// by default.  Avoid breaking these versions and check whether the cgroup parent is
+	// set to the default and in this case enable the old behavior.  It should not be a real
+	// problem because the default CgroupParent is usually owned by root so rootless users
+	// cannot access it.
+	// This check might be lifted in a future version of Podman.
+	// Check both that the cgroup or its parent is set to the default value (used by pods).
+	return cgroup != CgroupfsDefaultCgroupParent && filepath.Dir(cgroup) != CgroupfsDefaultCgroupParent
+}
+
 // Get cgroup path in a format suitable for the OCI spec
 func (c *Container) getOCICgroupPath() (string, error) {
 	unified, err := cgroups.IsCgroup2UnifiedMode()
@@ -2238,8 +2243,13 @@ func (c *Container) getOCICgroupPath() (string, error) {
 	}
 	cgroupManager := c.CgroupManager()
 	switch {
-	case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)) || c.config.NoCgroups:
+	case c.config.NoCgroups:
 		return "", nil
+	case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)):
+		if !isRootlessCgroupSet(c.config.CgroupParent) {
+			return "", nil
+		}
+		return c.config.CgroupParent, nil
 	case c.config.CgroupsMode == cgroupSplit:
 		if c.config.CgroupParent != "" {
 			return c.config.CgroupParent, nil