From c734a6c44e1624dab786c85026bcd8a13e7f2b01 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 30 Jun 2020 13:36:45 -0400
Subject: [PATCH] Disable SELinux labeling if privileged and user does not
specify labels
The previous patch mistakenly turned on SELinux even when --privileged.
This patch will disable SELinux, if the user specified --privileged and
did not specify any SELinux options.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
cmd/podman/shared/create.go | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 11a0c9cbe8..7bb2bc896d 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -196,9 +196,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
}
func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error {
- var (
- labelOpts []string
- )
+ var labelOpts []string
if config.PidMode.IsHost() {
labelOpts = append(labelOpts, label.DisableSecOpt()...)
@@ -794,12 +792,12 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
Syslog: c.Bool("syslog"),
}
- if config.Privileged {
- config.LabelOpts = label.DisableSecOpt()
- }
if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
return nil, err
}
+ if config.Privileged && len(config.LabelOpts) == 0 {
+ config.LabelOpts = label.DisableSecOpt()
+ }
config.SecurityOpts = c.StringArray("security-opt")
warnings, err := verifyContainerResources(config, false)
if err != nil {