From dc8fdb46c5eda03afed31708474664a52ac958b0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 17 Sep 2022 07:14:29 -0400 Subject: label.Relabel third option is shared not recurse There is no option in Selinux labeling to only relabel the top level of a directory. The option is to either label the path shared or not shared. Changing to make sure future engineers do not assume that recurse can work. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh --- libpod/container_internal_common.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 9c4a3bb67..a0ae22ff4 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -2659,7 +2659,7 @@ func (c *Container) fixVolumePermissions(v *ContainerNamedVolume) error { return nil } -func (c *Container) relabel(src, mountLabel string, recurse bool) error { +func (c *Container) relabel(src, mountLabel string, shared bool) error { if !selinux.GetEnabled() || mountLabel == "" { return nil } @@ -2674,7 +2674,7 @@ func (c *Container) relabel(src, mountLabel string, recurse bool) error { return nil } } - return label.Relabel(src, mountLabel, recurse) + return label.Relabel(src, mountLabel, shared) } func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid int) error { -- cgit v1.2.3-54-g00ecf