diff --git a/SOURCES/podman-1846364-part2.patch b/SOURCES/podman-1846364-part2.patch
new file mode 100644
index 0000000..405f84f
--- /dev/null
+++ b/SOURCES/podman-1846364-part2.patch
@@ -0,0 +1,47 @@
+From c734a6c44e1624dab786c85026bcd8a13e7f2b01 Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Tue, 30 Jun 2020 13:36:45 -0400
+Subject: [PATCH] Disable SELinux labeling if privileged and user does not
+ specify labels
+
+The previous patch mistakenly turned on SELinux even when --privileged.
+
+This patch will disable SELinux, if the user specified --privileged and
+did not specify any SELinux options.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ cmd/podman/shared/create.go | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
+index 11a0c9cbe8..7bb2bc896d 100644
+--- a/cmd/podman/shared/create.go
++++ b/cmd/podman/shared/create.go
+@@ -196,9 +196,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
+ }
+
+ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error {
+- var (
+- labelOpts []string
+- )
++ var labelOpts []string
+
+ if config.PidMode.IsHost() {
+ labelOpts = append(labelOpts, label.DisableSecOpt()...)
+@@ -794,12 +792,12 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
+ Syslog: c.Bool("syslog"),
+ }
+
+- if config.Privileged {
+- config.LabelOpts = label.DisableSecOpt()
+- }
+ if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
+ return nil, err
+ }
++ if config.Privileged && len(config.LabelOpts) == 0 {
++ config.LabelOpts = label.DisableSecOpt()
++ }
+ config.SecurityOpts = c.StringArray("security-opt")
+ warnings, err := verifyContainerResources(config, false)
+ if err != nil {
diff --git a/SOURCES/podman-1846364-part3.patch b/SOURCES/podman-1846364-part3.patch
new file mode 100644
index 0000000..6ad0e37
--- /dev/null
+++ b/SOURCES/podman-1846364-part3.patch
@@ -0,0 +1,70 @@
+From 48ad0f4e8f36918406b95e498f6750e5d5cf749a Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Wed, 1 Jul 2020 09:19:18 -0400
+Subject: [PATCH] Don't disable selinux labels if user specifies a security opt
+
+Currenty if the user specifies --pid=host or --ipc=host or --privileged
+then we disable SELinux labeling. If the user however specifies
+--security-opt label:... Then we assume they want to leave SELinux enabled
+and know what they are doing.
+
+This PR will leave SELinux enabled if a user specifies a --security-opt label
+option.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ cmd/podman/shared/create.go | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
+index 7bb2bc896d..dda36826ec 100644
+--- a/cmd/podman/shared/create.go
++++ b/cmd/podman/shared/create.go
+@@ -198,9 +198,7 @@ func CreateContainer(ctx context.Context, c *GenericCLIResults, runtime *libpod.
+ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *libpod.Runtime) error {
+ var labelOpts []string
+
+- if config.PidMode.IsHost() {
+- labelOpts = append(labelOpts, label.DisableSecOpt()...)
+- } else if config.PidMode.IsContainer() {
++ if config.PidMode.IsContainer() {
+ ctr, err := runtime.LookupContainer(config.PidMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
+@@ -212,9 +210,7 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l
+ labelOpts = append(labelOpts, secopts...)
+ }
+
+- if config.IpcMode.IsHost() {
+- labelOpts = append(labelOpts, label.DisableSecOpt()...)
+- } else if config.IpcMode.IsContainer() {
++ if config.IpcMode.IsContainer() {
+ ctr, err := runtime.LookupContainer(config.IpcMode.Container())
+ if err != nil {
+ return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
+@@ -255,7 +251,14 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string, runtime *l
+ return err
+ }
+ }
+- config.LabelOpts = labelOpts
++ if len(labelOpts) > 0 {
++ config.LabelOpts = labelOpts
++ } else {
++ if config.Privileged || config.IpcMode.IsHost() || config.PidMode.IsHost() {
++ config.LabelOpts = label.DisableSecOpt()
++ }
++ }
++
+ return nil
+ }
+
+@@ -795,9 +798,6 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
+ if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
+ return nil, err
+ }
+- if config.Privileged && len(config.LabelOpts) == 0 {
+- config.LabelOpts = label.DisableSecOpt()
+- }
+ config.SecurityOpts = c.StringArray("security-opt")
+ warnings, err := verifyContainerResources(config, false)
+ if err != nil {
diff --git a/SOURCES/podman-1846364.patch b/SOURCES/podman-1846364.patch
new file mode 100644
index 0000000..cd8c620
--- /dev/null
+++ b/SOURCES/podman-1846364.patch
@@ -0,0 +1,29 @@
+From a81891bb376d673cb6bef851b522a6d678e15ed0 Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Wed, 24 Jun 2020 10:34:25 -0400
+Subject: [PATCH] Allow security-opts to be parsed even if container is
+ --privileged
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ cmd/podman/shared/create.go | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
+index dc343e6942..11a0c9cbe8 100644
+--- a/cmd/podman/shared/create.go
++++ b/cmd/podman/shared/create.go
+@@ -796,10 +796,9 @@ func ParseCreateOpts(ctx context.Context, c *GenericCLIResults, runtime *libpod.
+
+ if config.Privileged {
+ config.LabelOpts = label.DisableSecOpt()
+- } else {
+- if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
+- return nil, err
+- }
++ }
++ if err := parseSecurityOpt(config, c.StringArray("security-opt"), runtime); err != nil {
++ return nil, err
+ }
+ config.SecurityOpts = c.StringArray("security-opt")
+ warnings, err := verifyContainerResources(config, false)
diff --git a/SPECS/podman.spec b/SPECS/podman.spec
index 0ee2e8c..7866945 100644
--- a/SPECS/podman.spec
+++ b/SPECS/podman.spec
@@ -29,7 +29,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Name: podman
Version: 1.6.4
-Release: 12%{?dist}
+Release: 15%{?dist}
Summary: Manage Pods, Containers and Container Images
License: ASL 2.0
URL: https://%{name}.io/
@@ -56,6 +56,16 @@ Patch6: podman-CVE-2020-10696.patch
# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1834346
# patch: https://github.com/containers/libpod/pull/6009.patch
Patch7: podman-1834346.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1846364
+# patch: https://github.com/containers/libpod/pull/6750/commits/a81891bb376d673cb6bef851b522a6d678e15ed0.patch
+Patch8: podman-1846364.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1846364
+# patch: https://github.com/containers/libpod/commit/2ff8dc2fdcb714009f1563fe057919a187bde4c5.patch
+Patch9: podman-1846364-part2.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1846364
+# patch: https://github.com/containers/libpod/pull/6832.patch
+Patch10: podman-1846364-part3.patch
+
Provides: %{name}-manpages = %{version}-%{release}
Obsoletes: %{name}-manpages < %{version}-%{release}
BuildRequires: golang >= 1.12.12-4
@@ -355,6 +365,17 @@ exit 0
%{_datadir}/%{name}/test
%changelog
+* Wed Jul 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-15
+- fix "Don't disable selinux labels if user specifies a security opt"
+- Resolves: #1846364
+
+* Tue Jun 30 2020 Ian Mcleod <imcleod@redhat.com> - 1.6.4-14
+- follow on fix for #1846364
+
+* Mon Jun 29 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-13
+- fix "podman 1.6.4 is not honouring --security-opt when --privileged is passed"
+- Resolves: #1846364
+
* Mon May 18 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-12
- fix "Please backport correction patch for the native container healthchecks"
- Resolves: #1834346