Fix handling of user specified container labels

Currently we override the SELinux labels specified by the user if the container is runing a kata container or systemd container. This PR fixes to use the label specified by the user. Fixes: https://github.com/containers/podman/issues/11100 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2024-10-20 17:23:30 +00:00 · 2021-08-02 16:33:33 -04:00 · 2021-08-02 16:33:33 -04:00 · 985c717085
parent 58cdb3236f
commit 985c717085
2 changed files with 35 additions and 13 deletions
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -472,20 +472,10 @@ func (c *Container) setupStorage(ctx context.Context) error {
 	c.config.IDMappings.UIDMap = containerInfo.UIDMap
 	c.config.IDMappings.GIDMap = containerInfo.GIDMap

-	processLabel := containerInfo.ProcessLabel
-	switch {
-	case c.ociRuntime.SupportsKVM():
-		processLabel, err = selinux.KVMLabel(processLabel)
-		if err != nil {
-			return err
-		}
-	case c.config.Systemd:
-		processLabel, err = selinux.InitLabel(processLabel)
-		if err != nil {
-			return err
-		}
+	processLabel, err := c.processLabel(containerInfo.ProcessLabel)
+	if err != nil {
+		return err
 	}
-
 	c.config.ProcessLabel = processLabel
 	c.config.MountLabel = containerInfo.MountLabel
 	c.config.StaticDir = containerInfo.Dir
@ -520,6 +510,26 @@ func (c *Container) setupStorage(ctx context.Context) error {
 	return nil
 }

+func (c *Container) processLabel(processLabel string) (string, error) {
+	if !c.config.Systemd && !c.ociRuntime.SupportsKVM() {
+		return processLabel, nil
+	}
+	ctrSpec, err := c.specFromState()
+	if err != nil {
+		return "", err
+	}
+	label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]
+	if !ok || !strings.Contains(label, "type:") {
+		switch {
+		case c.ociRuntime.SupportsKVM():
+			return selinux.KVMLabel(processLabel)
+		case c.config.Systemd:
+			return selinux.InitLabel(processLabel)
+		}
+	}
+	return processLabel, nil
+}
+
 // Tear down a container's storage prior to removal
 func (c *Container) teardownStorage() error {
 	if c.ensureState(define.ContainerStateRunning, define.ContainerStatePaused) {
--- a/test/system/410-selinux.bats
+++ b/test/system/410-selinux.bats
@ -50,6 +50,18 @@ function check_label() {
    check_label "--systemd=always" "container_init_t"
 }

+@test "podman selinux: init container with --security-opt type" {
+    check_label "--systemd=always --security-opt=label=type:spc_t" "spc_t"
+}
+
+@test "podman selinux: init container with --security-opt level&type" {
+    check_label "--systemd=always --security-opt=label=level:s0:c1,c2 --security-opt=label=type:spc_t" "spc_t" "s0:c1,c2"
+}
+
+@test "podman selinux: init container with --security-opt level" {
+    check_label "--systemd=always --security-opt=label=level:s0:c1,c2" "container_init_t"  "s0:c1,c2"
+}
+
@test "podman selinux: pid=host" {
    # FIXME this test fails when run rootless with runc:
    #   Error: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: readonly path /proc/asound: operation not permitted: OCI permission denied