opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-17 03:04:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Don't disable selinux labels if user specifies a security opt

Browse Source 
Currenty if the user specifies --pid=host or --ipc=host or --privileged
then we disable SELinux labeling. If the user however specifies
--security-opt label:...  Then we assume they want to leave SELinux enabled
and know what they are doing.

This PR will leave SELinux enabled if a user specifies a --security-opt label
option.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2020-07-01 09:19:18 -04:00
parent 2ff8dc2fdc
commit 48ad0f4e8f
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
cmd/podman/shared/create.go
View File

@ -198,9 +198,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error {
var labelOpts []string
if config.PidMode.IsHost() {
labelOpts = append(labelOpts, label.DisableSecOpt()...)
} else if config.PidMode.IsContainer() {
if config.PidMode.IsContainer() {
ctr, err := runtime.LookupContainer(config.PidMode.Container())
if err != nil {
return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
@ -212,9 +210,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l
labelOpts = append(labelOpts, secopts...)
}
if config.IpcMode.IsHost() {
labelOpts = append(labelOpts, label.DisableSecOpt()...)
} else if config.IpcMode.IsContainer() {
if config.IpcMode.IsContainer() {
ctr, err := runtime.LookupContainer(config.IpcMode.Container())
if err != nil {
return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
@ -255,7 +251,14 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l
return err
}
}
config.LabelOpts = labelOpts
if len(labelOpts) > 0 {
config.LabelOpts = labelOpts
} else {
if config.Privileged || config.IpcMode.IsHost() || config.PidMode.IsHost() {
config.LabelOpts = label.DisableSecOpt()
}
}
return nil
}
@ -795,9 +798,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
return nil, err
}
if config.Privileged && len(config.LabelOpts) == 0 {
config.LabelOpts = label.DisableSecOpt()
}
config.SecurityOpts = c.StringArray("security-opt")
warnings, err := verifyContainerResources(config, false)
if err != nil {