mirror of
https://github.com/containers/podman
synced 2024-10-21 17:53:44 +00:00
Provide correct SELinux mount-label for restored container
Restoring a container from a checkpoint archive creates a complete new root file-system. This file-system needs to have the correct SELinux label or most things in that restored container will fail. Running processes are not as problematic as newly exec()'d process (internally or via 'podman exec'). This patch tells the storage setup which label should be used to mount the container's root file-system. Signed-off-by: Adrian Reber <areber@redhat.com>
This commit is contained in:
parent
94e2a0cd63
commit
220e169cc1
|
@ -351,6 +351,16 @@ func (c *Container) setupStorage(ctx context.Context) error {
|
|||
},
|
||||
LabelOpts: c.config.LabelOpts,
|
||||
}
|
||||
if c.restoreFromCheckpoint {
|
||||
// If restoring from a checkpoint, the root file-system
|
||||
// needs to be mounted with the same SELinux labels as
|
||||
// it was mounted previously.
|
||||
if options.Flags == nil {
|
||||
options.Flags = make(map[string]interface{})
|
||||
}
|
||||
options.Flags["ProcessLabel"] = c.config.ProcessLabel
|
||||
options.Flags["MountLabel"] = c.config.MountLabel
|
||||
}
|
||||
if c.config.Privileged {
|
||||
privOpt := func(opt string) bool {
|
||||
for _, privopt := range []string{"nodev", "nosuid", "noexec"} {
|
||||
|
|
Loading…
Reference in a new issue