Skip to content

Commit

Permalink
Merge pull request #20746 from rhatdan/selinux
Browse files Browse the repository at this point in the history
Ignore SELinux relabel on unsupported file systems
  • Loading branch information
openshift-merge-bot[bot] authored Nov 23, 2023
2 parents ca1331b + ddd6cdf commit b4eb88f
Show file tree
Hide file tree
Showing 6 changed files with 49 additions and 7 deletions.
2 changes: 1 addition & 1 deletion libpod/container_internal.go
Original file line number Diff line number Diff line change
Expand Up @@ -2514,7 +2514,7 @@ func (c *Container) extractSecretToCtrStorage(secr *ContainerSecret) error {
if err := os.Chmod(secretFile, os.FileMode(secr.Mode)); err != nil {
return err
}
if err := label.Relabel(secretFile, c.config.MountLabel, false); err != nil {
if err := c.relabel(secretFile, c.config.MountLabel, false); err != nil {
return err
}
return nil
Expand Down
13 changes: 9 additions & 4 deletions libpod/container_internal_common.go
Original file line number Diff line number Diff line change
Expand Up @@ -869,7 +869,7 @@ func (c *Container) mountNotifySocket(g generate.Generator) error {
return fmt.Errorf("unable to create notify %q dir: %w", notifyDir, err)
}
}
if err := label.Relabel(notifyDir, c.MountLabel(), true); err != nil {
if err := c.relabel(notifyDir, c.MountLabel(), true); err != nil {
return fmt.Errorf("relabel failed %q: %w", notifyDir, err)
}
logrus.Debugf("Add bindmount notify %q dir", notifyDir)
Expand Down Expand Up @@ -2288,7 +2288,7 @@ func (c *Container) bindMountRootFile(source, dest string) error {
if err := os.Chown(source, c.RootUID(), c.RootGID()); err != nil {
return err
}
if err := label.Relabel(source, c.MountLabel(), false); err != nil {
if err := c.relabel(source, c.MountLabel(), false); err != nil {
return err
}

Expand Down Expand Up @@ -2824,7 +2824,7 @@ func (c *Container) createSecretMountDir(runPath string) error {
if err := umask.MkdirAllIgnoreUmask(src, os.FileMode(0o755)); err != nil {
return err
}
if err := label.Relabel(src, c.config.MountLabel, false); err != nil {
if err := c.relabel(src, c.config.MountLabel, false); err != nil {
return err
}
if err := os.Chown(src, c.RootUID(), c.RootGID()); err != nil {
Expand Down Expand Up @@ -2927,7 +2927,12 @@ func (c *Container) relabel(src, mountLabel string, shared bool) error {
return nil
}
}
return label.Relabel(src, mountLabel, shared)
err := label.Relabel(src, mountLabel, shared)
if errors.Is(err, unix.ENOTSUP) {
logrus.Debugf("Labeling not supported on %q", src)
return nil
}
return err
}

func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid int) error {
Expand Down
5 changes: 4 additions & 1 deletion libpod/networking_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,10 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) {
// this is important, otherwise the iptables command will fail
err = label.Relabel(runDir, "system_u:object_r:iptables_var_run_t:s0", false)
if err != nil {
return nil, fmt.Errorf("could not create relabel rootless-netns run directory: %w", err)
if !errors.Is(err, unix.ENOTSUP) {
return nil, fmt.Errorf("could not create relabel rootless-netns run directory: %w", err)
}
logrus.Debugf("Labeling not supported on %q", runDir)
}
// create systemd run directory
err = os.MkdirAll(filepath.Join(runDir, "systemd"), 0700)
Expand Down
6 changes: 6 additions & 0 deletions libpod/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package libpod
import (
"bufio"
"encoding/binary"
"errors"
"fmt"
"io"
"net/http"
Expand All @@ -23,6 +24,7 @@ import (
spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)

// FuncTimer helps measure the execution time of a function
Expand Down Expand Up @@ -273,6 +275,10 @@ func writeStringToPath(path, contents, mountLabel string, uid, gid int) error {
}
// Relabel runDirResolv for the container
if err := label.Relabel(path, mountLabel, false); err != nil {
if errors.Is(err, unix.ENOTSUP) {
logrus.Debugf("Labeling not supported on %q", path)
return nil
}
return err
}

Expand Down
3 changes: 2 additions & 1 deletion libpod/util_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package libpod

import (
"errors"
"fmt"
"os"
"path/filepath"
Expand Down Expand Up @@ -146,7 +147,7 @@ func LabelVolumePath(path, mountLabel string) error {
}

if err := lvpRelabel(path, mountLabel, true); err != nil {
if err == syscall.ENOTSUP {
if errors.Is(err, unix.ENOTSUP) {
logrus.Debugf("Labeling not supported on %q", path)
} else {
return fmt.Errorf("setting selinux label for %s to %q as shared: %w", path, mountLabel, err)
Expand Down
27 changes: 27 additions & 0 deletions test/system/410-selinux.bats
Original file line number Diff line number Diff line change
Expand Up @@ -355,4 +355,31 @@ EOF
is "$output" "$user:system_r:container_t:$level" "Confined with role override label Correctly"
}

@test "podman selinux: check unsupported relabel" {
skip_if_no_selinux
skip_if_rootless

LABEL="system_u:object_r:tmp_t:s0"
RELABEL="system_u:object_r:container_file_t:s0"
tmpdir=$PODMAN_TMPDIR/vol
mkdir -p $tmpdir

mount --type tmpfs -o "context=\"$LABEL\"" tmpfs $tmpdir

run ls -dZ ${tmpdir}
is "$output" "${LABEL} ${tmpdir}" "No Relabel Correctly"
run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
run ls -dZ $tmpdir
is "$output" "${LABEL} $tmpdir" "Ignored shared relabel Correctly"

run_podman run --rm -v $tmpdir:/test:Z --privileged $IMAGE true
run ls -dZ $tmpdir
is "$output" "${LABEL} $tmpdir" "Ignored private relabel Correctly"}
umount $tmpdir

run_podman run --rm -v $tmpdir:/test:z --privileged $IMAGE true
run ls -dZ $tmpdir
is "$output" "${RELABEL} $tmpdir" "Ignored private relabel Correctly"}
}

# vim: filetype=sh

1 comment on commit b4eb88f

@packit-as-a-service
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

podman-next COPR build failed. @containers/packit-build please check.

Please sign in to comment.