From c734a6c44e1624dab786c85026bcd8a13e7f2b01 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 30 Jun 2020 13:36:45 -0400
Subject: [PATCH] Disable SELinux labeling if privileged and user does not
 specify labels

The previous patch mistakenly turned on SELinux even when --privileged.

This patch will disable SELinux, if the user specified --privileged and
did not specify any SELinux options.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 cmd/podman/shared/create.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index 11a0c9cbe8..7bb2bc896d 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -196,9 +196,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 }
 
 func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error {
-	var (
-		labelOpts []string
-	)
+	var labelOpts []string
 
 	if config.PidMode.IsHost() {
 		labelOpts = append(labelOpts, label.DisableSecOpt()...)
@@ -794,12 +792,12 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
 		Syslog:        c.Bool("syslog"),
 	}
 
-	if config.Privileged {
-		config.LabelOpts = label.DisableSecOpt()
-	}
 	if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
 		return nil, err
 	}
+	if config.Privileged && len(config.LabelOpts) == 0 {
+		config.LabelOpts = label.DisableSecOpt()
+	}
 	config.SecurityOpts = c.StringArray("security-opt")
 	warnings, err := verifyContainerResources(config, false)
 	if err != nil {