opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-17 23:26:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Ignore SELinux relabel on unsupported file systems

Browse Source 
We were ignoreing relabel requests on certain unsupported
file systems and not on others, this changes to consistently
logrus.Debug ENOTSUP file systems.

Fixes: https://github.com/containers/podman/discussions/20745

Still needs some work on the Buildah side.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2023-11-22 08:53:55 -05:00
parent b7ca114078
commit ddd6cdfd77
6 changed files with 49 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libpod/container_internal.go
View File

@ -2514,7 +2514,7 @@ func (c *Container) extractSecretToCtrStorage(secr *ContainerSecret) error {
if err := os.Chmod(secretFile, os.FileMode(secr.Mode)); err != nil { if err := os.Chmod(secretFile, os.FileMode(secr.Mode)); err != nil {
return err return err
} }
if err := label.Relabel(secretFile, c.config.MountLabel, false); err != nil { if err := c.relabel(secretFile, c.config.MountLabel, false); err != nil {
return err return err
} }
return nil return nil

13
libpod/container_internal_common.go
View File

@ -869,7 +869,7 @@ func (c *Container) mountNotifySocket(g generate.Generator) error {
return fmt.Errorf("unable to create notify %q dir: %w", notifyDir, err) return fmt.Errorf("unable to create notify %q dir: %w", notifyDir, err)
} }
} }
if err := label.Relabel(notifyDir, c.MountLabel(), true); err != nil { if err := c.relabel(notifyDir, c.MountLabel(), true); err != nil {
return fmt.Errorf("relabel failed %q: %w", notifyDir, err) return fmt.Errorf("relabel failed %q: %w", notifyDir, err)
} }
logrus.Debugf("Add bindmount notify %q dir", notifyDir) logrus.Debugf("Add bindmount notify %q dir", notifyDir)
@ -2288,7 +2288,7 @@ func (c *Container) bindMountRootFile(source, dest string) error {
if err := os.Chown(source, c.RootUID(), c.RootGID()); err != nil { if err := os.Chown(source, c.RootUID(), c.RootGID()); err != nil {
return err return err
} }
if err := label.Relabel(source, c.MountLabel(), false); err != nil { if err := c.relabel(source, c.MountLabel(), false); err != nil {
return err return err
} }
@ -2824,7 +2824,7 @@ func (c *Container) createSecretMountDir(runPath string) error {
if err := umask.MkdirAllIgnoreUmask(src, os.FileMode(0o755)); err != nil { if err := umask.MkdirAllIgnoreUmask(src, os.FileMode(0o755)); err != nil {
return err return err
} }
if err := label.Relabel(src, c.config.MountLabel, false); err != nil { if err := c.relabel(src, c.config.MountLabel, false); err != nil {
return err return err
} }
if err := os.Chown(src, c.RootUID(), c.RootGID()); err != nil { if err := os.Chown(src, c.RootUID(), c.RootGID()); err != nil {
@ -2927,7 +2927,12 @@ func (c *Container) relabel(src, mountLabel string, shared bool) error {
return nil return nil
} }
} }
return label.Relabel(src, mountLabel, shared) err := label.Relabel(src, mountLabel, shared)
if errors.Is(err, unix.ENOTSUP) {
logrus.Debugf("Labeling not supported on %q", src)
return nil
}
return err
} }
func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid int) error { func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid int) error {

3
libpod/networking_linux.go
View File

@ -440,8 +440,11 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) {
// this is important, otherwise the iptables command will fail // this is important, otherwise the iptables command will fail
err = label.Relabel(runDir, "system_u:object_r:iptables_var_run_t:s0", false) err = label.Relabel(runDir, "system_u:object_r:iptables_var_run_t:s0", false)
if err != nil { if err != nil {
if !errors.Is(err, unix.ENOTSUP) {
return nil, fmt.Errorf("could not create relabel rootless-netns run directory: %w", err) return nil, fmt.Errorf("could not create relabel rootless-netns run directory: %w", err)
} }
logrus.Debugf("Labeling not supported on %q", runDir)
}
// create systemd run directory // create systemd run directory
err = os.MkdirAll(filepath.Join(runDir, "systemd"), 0700) err = os.MkdirAll(filepath.Join(runDir, "systemd"), 0700)
if err != nil { if err != nil {

6
libpod/util.go
View File

@ -6,6 +6,7 @@ package libpod
import ( import (
"bufio" "bufio"
"encoding/binary" "encoding/binary"
"errors"
"fmt" "fmt"
"io" "io"
"net/http" "net/http"
@ -23,6 +24,7 @@ import (
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
) )
// FuncTimer helps measure the execution time of a function // FuncTimer helps measure the execution time of a function
@ -273,6 +275,10 @@ func writeStringToPath(path, contents, mountLabel string, uid, gid int) error {
} }
// Relabel runDirResolv for the container // Relabel runDirResolv for the container
if err := label.Relabel(path, mountLabel, false); err != nil { if err := label.Relabel(path, mountLabel, false); err != nil {
if errors.Is(err, unix.ENOTSUP) {
logrus.Debugf("Labeling not supported on %q", path)
return nil
}
return err return err
} }

3
libpod/util_linux.go
View File

@ -4,6 +4,7 @@
package libpod package libpod
import ( import (
"errors"
"fmt" "fmt"
"os" "os"
"path/filepath" "path/filepath"
@ -146,7 +147,7 @@ func LabelVolumePath(path, mountLabel string) error {
} }
if err := lvpRelabel(path, mountLabel, true); err != nil { if err := lvpRelabel(path, mountLabel, true); err != nil {
if err == syscall.ENOTSUP { if errors.Is(err, unix.ENOTSUP) {
logrus.Debugf("Labeling not supported on %q", path) logrus.Debugf("Labeling not supported on %q", path)
} else { } else {
return fmt.Errorf("setting selinux label for %s to %q as shared: %w", path, mountLabel, err) return fmt.Errorf("setting selinux label for %s to %q as shared: %w", path, mountLabel, err)

27
test/system/410-selinux.bats
View File

@ -355,4 +355,31 @@ EOF
is "$output" "$user:system_r:container_t:$level" "Confined with role override label Correctly" is "$output" "$user:system_r:container_t:$level" "Confined with role override label Correctly"
} }
@test "podman selinux: check unsupported relabel" {
skip_if_no_selinux
skip_if_rootless
LABEL="system_u:object_r:tmp_t:s0"
RELABEL="system_u:object_r:container_file_t:s0"
tmpdir=$PODMAN_TMPDIR/vol
mkdir -p $tmpdir
mount --type tmpfs -o "context=\"$LABEL\"" tmpfs $tmpdir
run ls -dZ ${tmpdir}
is "$output" "${LABEL} ${tmpdir}" "No Relabel Correctly"
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
run ls -dZ $tmpdir
is "$output" "${LABEL} $tmpdir" "Ignored shared relabel Correctly"
run_podman run --rm -v $tmpdir:/test:Z --privileged $IMAGE true
run ls -dZ $tmpdir
is "$output" "${LABEL} $tmpdir" "Ignored private relabel Correctly"}
umount $tmpdir
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
run ls -dZ $tmpdir
is "$output" "${RELABEL} $tmpdir" "Ignored private relabel Correctly"}
}
# vim: filetype=sh # vim: filetype=sh