From 6efca0bbac4346be1c9693c5ef5c592f2fc21035 Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Thu, 13 May 2021 14:41:38 -0400 Subject: Ensure that :Z/:z/:U can be used with named volumes Docker allows relabeling of any volume passed in via -v, even including named volumes. This normally isn't an issue at all, given named volumes get the right label for container access automatically, but this becomes an issue when volume plugins are involved - these aren't managed by Podman, and may well be unaware of SELinux labelling. We could automatically relabel these volumes on creation, but I'm still reluctant to do that (feels like it could break things). Instead, let's allow :z and :Z to be used with named volumes, so users can explicitly request relabel of a volume plugin-backed volume. We also get :U at the same time. I don't see any real need for it but it also doesn't seem to hurt, so I didn't bother disabling it. Fixes #10273 Signed-off-by: Matthew Heon --- test/e2e/run_selinux_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'test') diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index 6abe152a9..2886f06c1 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -343,4 +343,12 @@ var _ = Describe("Podman run", func() { session.WaitWithDefaultTimeout() Expect(session.OutputToString()).To(ContainSubstring("container_init_t")) }) + + It("podman relabels named volume with :Z", func() { + session := podmanTest.Podman([]string{"run", "-v", "testvol:/test1/test:Z", fedoraMinimal, "ls", "-alZ", "/test1"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString(":s0:") + Expect(match).Should(BeTrue()) + }) }) -- cgit v1.2.3-54-g00ecf