|
 |
628da5 |
From 48ad0f4e8f36918406b95e498f6750e5d5cf749a Mon Sep 17 00:00:00 2001
|
|
|
628da5 |
From: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
628da5 |
Date: Wed, 1 Jul 2020 09:19:18 -0400
|
|
|
628da5 |
Subject: [PATCH] Don't disable selinux labels if user specifies a security opt
|
|
|
628da5 |
|
|
|
628da5 |
Currenty if the user specifies --pid=host or --ipc=host or --privileged
|
|
|
628da5 |
then we disable SELinux labeling. If the user however specifies
|
|
|
628da5 |
--security-opt label:... Then we assume they want to leave SELinux enabled
|
|
|
628da5 |
and know what they are doing.
|
|
|
628da5 |
|
|
|
628da5 |
This PR will leave SELinux enabled if a user specifies a --security-opt label
|
|
|
628da5 |
option.
|
|
|
628da5 |
|
|
|
628da5 |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
628da5 |
---
|
|
|
628da5 |
cmd/podman/shared/create.go | 20 ++++++++++----------
|
|
|
628da5 |
1 file changed, 10 insertions(+), 10 deletions(-)
|
|
|
628da5 |
|
|
|
628da5 |
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
|
|
|
628da5 |
index 7bb2bc896d..dda36826ec 100644
|
|
|
628da5 |
--- a/cmd/podman/shared/create.go
|
|
|
628da5 |
+++ b/cmd/podman/shared/create.go
|
|
|
628da5 |
@@ -198,9 +198,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
|
|
|
628da5 |
func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error {
|
|
|
628da5 |
var labelOpts []string
|
|
|
628da5 |
|
|
|
628da5 |
- if config.PidMode.IsHost() {
|
|
|
628da5 |
- labelOpts = append(labelOpts, label.DisableSecOpt()...)
|
|
|
628da5 |
- } else if config.PidMode.IsContainer() {
|
|
|
628da5 |
+ if config.PidMode.IsContainer() {
|
|
|
628da5 |
ctr, err := runtime.LookupContainer(config.PidMode.Container())
|
|
|
628da5 |
if err != nil {
|
|
|
628da5 |
return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
|
|
|
628da5 |
@@ -212,9 +210,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l
|
|
|
628da5 |
labelOpts = append(labelOpts, secopts...)
|
|
|
628da5 |
}
|
|
|
628da5 |
|
|
|
628da5 |
- if config.IpcMode.IsHost() {
|
|
|
628da5 |
- labelOpts = append(labelOpts, label.DisableSecOpt()...)
|
|
|
628da5 |
- } else if config.IpcMode.IsContainer() {
|
|
|
628da5 |
+ if config.IpcMode.IsContainer() {
|
|
|
628da5 |
ctr, err := runtime.LookupContainer(config.IpcMode.Container())
|
|
|
628da5 |
if err != nil {
|
|
|
628da5 |
return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
|
|
|
628da5 |
@@ -255,7 +251,14 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l
|
|
|
628da5 |
return err
|
|
|
628da5 |
}
|
|
|
628da5 |
}
|
|
|
628da5 |
- config.LabelOpts = labelOpts
|
|
|
628da5 |
+ if len(labelOpts) > 0 {
|
|
|
628da5 |
+ config.LabelOpts = labelOpts
|
|
|
628da5 |
+ } else {
|
|
|
628da5 |
+ if config.Privileged || config.IpcMode.IsHost() || config.PidMode.IsHost() {
|
|
|
628da5 |
+ config.LabelOpts = label.DisableSecOpt()
|
|
|
628da5 |
+ }
|
|
|
628da5 |
+ }
|
|
|
628da5 |
+
|
|
|
628da5 |
return nil
|
|
|
628da5 |
}
|
|
|
628da5 |
|
|
|
628da5 |
@@ -795,9 +798,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
|
|
|
628da5 |
if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
|
|
|
628da5 |
return nil, err
|
|
|
628da5 |
}
|
|
|
628da5 |
- if config.Privileged && len(config.LabelOpts) == 0 {
|
|
|
628da5 |
- config.LabelOpts = label.DisableSecOpt()
|
|
|
628da5 |
- }
|
|
|
628da5 |
config.SecurityOpts = c.StringArray("security-opt")
|
|
|
628da5 |
warnings, err := verifyContainerResources(config, false)
|
|
|
628da5 |
if err != nil {
|