From 220e169cc1f04a17b25d7af0994715f75be0d249 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 25 Jun 2019 12:36:05 +0000
Subject: Provide correct SELinux mount-label for restored container

Restoring a container from a checkpoint archive creates a complete
new root file-system. This file-system needs to have the correct SELinux
label or most things in that restored container will fail. Running
processes are not as problematic as newly exec()'d process (internally
or via 'podman exec').

This patch tells the storage setup which label should be used to mount
the container's root file-system.

Signed-off-by: Adrian Reber <areber@redhat.com>
---
 libpod/container_internal.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'libpod/container_internal.go')

diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 56fd27afb..5d824908c 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -351,6 +351,16 @@ func (c *Container) setupStorage(ctx context.Context) error {
 		},
 		LabelOpts: c.config.LabelOpts,
 	}
+	if c.restoreFromCheckpoint {
+		// If restoring from a checkpoint, the root file-system
+		// needs to be mounted with the same SELinux labels as
+		// it was mounted previously.
+		if options.Flags == nil {
+			options.Flags = make(map[string]interface{})
+		}
+		options.Flags["ProcessLabel"] = c.config.ProcessLabel
+		options.Flags["MountLabel"] = c.config.MountLabel
+	}
 	if c.config.Privileged {
 		privOpt := func(opt string) bool {
 			for _, privopt := range []string{"nodev", "nosuid", "noexec"} {
-- 
cgit v1.2.3-54-g00ecf