From c4ca3c71ffe3c08bc74158340b3427d00efdfe32 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 15 Apr 2020 14:48:53 -0400 Subject: Add support for selecting kvm and systemd labels In order to better support kata containers and systemd containers container-selinux has added new types. Podman should execute the container with an SELinux process label to match the container type. Traditional Container process : container_t KVM Container Process: containre_kvm_t PID 1 Init process: container_init_t Signed-off-by: Daniel J Walsh --- pkg/util/utils.go | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'pkg') diff --git a/pkg/util/utils.go b/pkg/util/utils.go index 1051ed311..2500693d7 100644 --- a/pkg/util/utils.go +++ b/pkg/util/utils.go @@ -22,6 +22,7 @@ import ( "github.com/containers/storage" "github.com/containers/storage/pkg/idtools" v1 "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/opencontainers/selinux/go-selinux" "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/spf13/pflag" @@ -666,3 +667,38 @@ func ValidateSysctls(strSlice []string) (map[string]string, error) { } return sysctl, nil } + +// SELinuxKVMLabel returns labels for running kvm isolated containers +func SELinuxKVMLabel(cLabel string) (string, error) { + if cLabel == "" { + // selinux is disabled + return "", nil + } + processLabel, _ := selinux.KVMContainerLabels() + selinux.ReleaseLabel(processLabel) + return swapSELinuxLabel(cLabel, processLabel) +} + +// SELinuxInitLabel returns labels for running systemd based containers +func SELinuxInitLabel(cLabel string) (string, error) { + if cLabel == "" { + // selinux is disabled + return "", nil + } + processLabel, _ := selinux.InitContainerLabels() + selinux.ReleaseLabel(processLabel) + return swapSELinuxLabel(cLabel, processLabel) +} + +func swapSELinuxLabel(cLabel, processLabel string) (string, error) { + dcon, err := selinux.NewContext(cLabel) + if err != nil { + return "", err + } + scon, err := selinux.NewContext(processLabel) + if err != nil { + return "", err + } + dcon["type"] = scon["type"] + return dcon.Get(), nil +} -- cgit v1.2.3-54-g00ecf