mirror of
https://github.com/containers/podman.git
synced 2025-05-17 15:18:43 +08:00
Ignore SELinux relabel on unsupported file systems
We were ignoreing relabel requests on certain unsupported file systems and not on others, this changes to consistently logrus.Debug ENOTSUP file systems. Fixes: https://github.com/containers/podman/discussions/20745 Still needs some work on the Buildah side. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
@ -2514,7 +2514,7 @@ func (c *Container) extractSecretToCtrStorage(secr *ContainerSecret) error {
|
||||
if err := os.Chmod(secretFile, os.FileMode(secr.Mode)); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := label.Relabel(secretFile, c.config.MountLabel, false); err != nil {
|
||||
if err := c.relabel(secretFile, c.config.MountLabel, false); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
|
||||
@ -869,7 +869,7 @@ func (c *Container) mountNotifySocket(g generate.Generator) error {
|
||||
return fmt.Errorf("unable to create notify %q dir: %w", notifyDir, err)
|
||||
}
|
||||
}
|
||||
if err := label.Relabel(notifyDir, c.MountLabel(), true); err != nil {
|
||||
if err := c.relabel(notifyDir, c.MountLabel(), true); err != nil {
|
||||
return fmt.Errorf("relabel failed %q: %w", notifyDir, err)
|
||||
}
|
||||
logrus.Debugf("Add bindmount notify %q dir", notifyDir)
|
||||
@ -2288,7 +2288,7 @@ func (c *Container) bindMountRootFile(source, dest string) error {
|
||||
if err := os.Chown(source, c.RootUID(), c.RootGID()); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := label.Relabel(source, c.MountLabel(), false); err != nil {
|
||||
if err := c.relabel(source, c.MountLabel(), false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@ -2824,7 +2824,7 @@ func (c *Container) createSecretMountDir(runPath string) error {
|
||||
if err := umask.MkdirAllIgnoreUmask(src, os.FileMode(0o755)); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := label.Relabel(src, c.config.MountLabel, false); err != nil {
|
||||
if err := c.relabel(src, c.config.MountLabel, false); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := os.Chown(src, c.RootUID(), c.RootGID()); err != nil {
|
||||
@ -2927,7 +2927,12 @@ func (c *Container) relabel(src, mountLabel string, shared bool) error {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
return label.Relabel(src, mountLabel, shared)
|
||||
err := label.Relabel(src, mountLabel, shared)
|
||||
if errors.Is(err, unix.ENOTSUP) {
|
||||
logrus.Debugf("Labeling not supported on %q", src)
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid int) error {
|
||||
|
||||
@ -440,7 +440,10 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) {
|
||||
// this is important, otherwise the iptables command will fail
|
||||
err = label.Relabel(runDir, "system_u:object_r:iptables_var_run_t:s0", false)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not create relabel rootless-netns run directory: %w", err)
|
||||
if !errors.Is(err, unix.ENOTSUP) {
|
||||
return nil, fmt.Errorf("could not create relabel rootless-netns run directory: %w", err)
|
||||
}
|
||||
logrus.Debugf("Labeling not supported on %q", runDir)
|
||||
}
|
||||
// create systemd run directory
|
||||
err = os.MkdirAll(filepath.Join(runDir, "systemd"), 0700)
|
||||
|
||||
@ -6,6 +6,7 @@ package libpod
|
||||
import (
|
||||
"bufio"
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
@ -23,6 +24,7 @@ import (
|
||||
spec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/sirupsen/logrus"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// FuncTimer helps measure the execution time of a function
|
||||
@ -273,6 +275,10 @@ func writeStringToPath(path, contents, mountLabel string, uid, gid int) error {
|
||||
}
|
||||
// Relabel runDirResolv for the container
|
||||
if err := label.Relabel(path, mountLabel, false); err != nil {
|
||||
if errors.Is(err, unix.ENOTSUP) {
|
||||
logrus.Debugf("Labeling not supported on %q", path)
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
package libpod
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
@ -146,7 +147,7 @@ func LabelVolumePath(path, mountLabel string) error {
|
||||
}
|
||||
|
||||
if err := lvpRelabel(path, mountLabel, true); err != nil {
|
||||
if err == syscall.ENOTSUP {
|
||||
if errors.Is(err, unix.ENOTSUP) {
|
||||
logrus.Debugf("Labeling not supported on %q", path)
|
||||
} else {
|
||||
return fmt.Errorf("setting selinux label for %s to %q as shared: %w", path, mountLabel, err)
|
||||
|
||||
@ -355,4 +355,31 @@ EOF
|
||||
is "$output" "$user:system_r:container_t:$level" "Confined with role override label Correctly"
|
||||
}
|
||||
|
||||
@test "podman selinux: check unsupported relabel" {
|
||||
skip_if_no_selinux
|
||||
skip_if_rootless
|
||||
|
||||
LABEL="system_u:object_r:tmp_t:s0"
|
||||
RELABEL="system_u:object_r:container_file_t:s0"
|
||||
tmpdir=$PODMAN_TMPDIR/vol
|
||||
mkdir -p $tmpdir
|
||||
|
||||
mount --type tmpfs -o "context=\"$LABEL\"" tmpfs $tmpdir
|
||||
|
||||
run ls -dZ ${tmpdir}
|
||||
is "$output" "${LABEL} ${tmpdir}" "No Relabel Correctly"
|
||||
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
|
||||
run ls -dZ $tmpdir
|
||||
is "$output" "${LABEL} $tmpdir" "Ignored shared relabel Correctly"
|
||||
|
||||
run_podman run --rm -v $tmpdir:/test:Z --privileged $IMAGE true
|
||||
run ls -dZ $tmpdir
|
||||
is "$output" "${LABEL} $tmpdir" "Ignored private relabel Correctly"}
|
||||
umount $tmpdir
|
||||
|
||||
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
|
||||
run ls -dZ $tmpdir
|
||||
is "$output" "${RELABEL} $tmpdir" "Ignored private relabel Correctly"}
|
||||
}
|
||||
|
||||
# vim: filetype=sh
|
||||
|
||||
Reference in New Issue
Block a user