Merge pull request #5817 from rhatdan/selinux1

Fix up SELinux labeling
2025-06-24 03:08:13 +08:00 · 2020-04-15 14:28:53 -07:00
parent 3500a8bc39 ac94a96a74
commit 0f7162d791
6 changed files with 31 additions and 51 deletions
--- a/cmd/podmanV2/Makefile
+++ b/cmd/podmanV2/Makefile
@ -1,10 +1,10 @@
 all: podman podman-remote

 podman:
-	CGO_ENABLED=1 GO111MODULE=off go build -tags 'ABISupport systemd varlink seccomp'
+	CGO_ENABLED=1 GO111MODULE=off go build -tags 'ABISupport systemd varlink seccomp selinux'

 podman-remote:
-	CGO_ENABLED=1 GO111MODULE=off go build -tags '!ABISupport systemd seccomp' -o podmanV2-remote
+	CGO_ENABLED=1 GO111MODULE=off go build -tags '!ABISupport systemd seccomp selinux' -o podmanV2-remote

 clean:
 	rm podmanV2 podmanV2-remote
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@ -813,3 +813,7 @@ func (r *Runtime) mergeDBConfig(dbConfig *DBConfig) error {
 	}
 	return nil
 }
+
+func (r *Runtime) EnableLabeling() bool {
+	return r.config.Containers.EnableLabeling
+}
--- a/pkg/specgen/container_validate.go
+++ b/pkg/specgen/container_validate.go
@ -68,18 +68,6 @@ func (s *SpecGenerator) Validate() error {
 	if len(s.CapAdd) > 0 && s.Privileged {
 		return exclusiveOptions("CapAdd", "privileged")
 	}
-	// selinuxprocesslabel and privileged are exclusive
-	if len(s.SelinuxProcessLabel) > 0 && s.Privileged {
-		return exclusiveOptions("SelinuxProcessLabel", "privileged")
-	}
-	// selinuxmounmtlabel and privileged are exclusive
-	if len(s.SelinuxMountLabel) > 0 && s.Privileged {
-		return exclusiveOptions("SelinuxMountLabel", "privileged")
-	}
-	// selinuxopts and privileged are exclusive
-	if len(s.SelinuxOpts) > 0 && s.Privileged {
-		return exclusiveOptions("SelinuxOpts", "privileged")
-	}
 	// apparmor and privileged are exclusive
 	if len(s.ApparmorProfile) > 0 && s.Privileged {
 		return exclusiveOptions("AppArmorProfile", "privileged")
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@ -113,6 +113,14 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 	if err := finishThrottleDevices(s); err != nil {
 		return err
 	}
+	// Unless already set via the CLI, check if we need to disable process
+	// labels or set the defaults.
+	if len(s.SelinuxOpts) == 0 {
+		if err := s.SetLabelOpts(r, s.PidNS, s.IpcNS); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

--- a/pkg/specgen/security.go
+++ b/pkg/specgen/security.go
@ -1,32 +1,26 @@
 package specgen

-// ToCreateOptions convert the SecurityConfig to a slice of container create
-// options.
-/*
-func (c *SecurityConfig) ToCreateOptions() ([]libpod.CtrCreateOption, error) {
-	options := make([]libpod.CtrCreateOption, 0)
-	options = append(options, libpod.WithSecLabels(c.LabelOpts))
-	options = append(options, libpod.WithPrivileged(c.Privileged))
-	return options, nil
-}
-*/
+import (
+	"github.com/containers/libpod/libpod"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+)

 // SetLabelOpts sets the label options of the SecurityConfig according to the
 // input.
-/*
-func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidConfig, ipcConfig *IpcConfig) error {
-	if c.Privileged {
-		c.LabelOpts = label.DisableSecOpt()
+func (s *SpecGenerator) SetLabelOpts(runtime *libpod.Runtime, pidConfig Namespace, ipcConfig Namespace) error {
+	if !runtime.EnableLabeling() || s.Privileged {
+		s.SelinuxOpts = label.DisableSecOpt()
 		return nil
 	}

 	var labelOpts []string
-	if pidConfig.PidMode.IsHost() {
+	if pidConfig.IsHost() {
 		labelOpts = append(labelOpts, label.DisableSecOpt()...)
-	} else if pidConfig.PidMode.IsContainer() {
-		ctr, err := runtime.LookupContainer(pidConfig.PidMode.Container())
+	} else if pidConfig.IsContainer() {
+		ctr, err := runtime.LookupContainer(pidConfig.Value)
 		if err != nil {
-			return errors.Wrapf(err, "container %q not found", pidConfig.PidMode.Container())
+			return errors.Wrapf(err, "container %q not found", pidConfig.Value)
 		}
 		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
 		if err != nil {
@ -35,12 +29,12 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon
 		labelOpts = append(labelOpts, secopts...)
 	}

-	if ipcConfig.IpcMode.IsHost() {
+	if ipcConfig.IsHost() {
 		labelOpts = append(labelOpts, label.DisableSecOpt()...)
-	} else if ipcConfig.IpcMode.IsContainer() {
-		ctr, err := runtime.LookupContainer(ipcConfig.IpcMode.Container())
+	} else if ipcConfig.IsContainer() {
+		ctr, err := runtime.LookupContainer(ipcConfig.Value)
 		if err != nil {
-			return errors.Wrapf(err, "container %q not found", ipcConfig.IpcMode.Container())
+			return errors.Wrapf(err, "container %q not found", ipcConfig.Value)
 		}
 		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
 		if err != nil {
@ -49,13 +43,7 @@ func (c *SecurityConfig) SetLabelOpts(runtime *libpod.Runtime, pidConfig *PidCon
 		labelOpts = append(labelOpts, secopts...)
 	}

-	c.LabelOpts = append(c.LabelOpts, labelOpts...)
-	return nil
-}
-*/
-
-// SetSecurityOpts the the security options (labels, apparmor, seccomp, etc.).
-func SetSecurityOpts(securityOpts []string) error {
+	s.SelinuxOpts = append(s.SelinuxOpts, labelOpts...)
 	return nil
 }

--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@ -228,14 +228,6 @@ type ContainerSecurityConfig struct {
 	// If SELinux is enabled and this is not specified, a label will be
 	// automatically generated if not specified.
 	// Optional.
-	SelinuxProcessLabel string `json:"selinux_process_label,omitempty"`
-	// SelinuxMountLabel is the mount label the container will use.
-	// If SELinux is enabled and this is not specified, a label will be
-	// automatically generated if not specified.
-	// Optional.
-	SelinuxMountLabel string `json:"selinux_mount_label,omitempty"`
-	// SelinuxOpts are options for configuring SELinux.
-	// Optional.
 	SelinuxOpts []string `json:"selinux_opts,omitempty"`
 	// ApparmorProfile is the name of the Apparmor profile the container
 	// will use.