Fix handling of selinux labels in podman play kube

[rhatdan]

Fixes: #10969

[NO TESTS NEEDED] We added tests for this, but they don't seem to be
running. If I run the local system tests, they fail with the current
Podman and work with this version.

Signed-off-by: Daniel J Walsh [email protected]

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[umohnani8]

LGTM

[jwhonce]

/lgtm

[edsantiago]

We added tests for this, but they don't seem to be running.

Can you help me understand why this is happening? If you point me at a specific test, I can try to track down prior CI runs and see if they're skipped. If the tests are running and passing, that would be bad, no?

[rhatdan]

700-play.bats

@test "podman play with stdin" {
TESTDIR=$PODMAN_TMPDIR/testdir
mkdir -p $TESTDIR
echo "$testYaml" | sed "s|TESTDIR|${TESTDIR}|g" > $PODMAN_TMPDIR/test.yaml
run_podman play kube - < $PODMAN_TMPDIR/test.yaml
if [ -e /usr/sbin/selinuxenabled -a /usr/sbin/selinuxenabled ]; then
run ls -Zd $TESTDIR
is "$output" ${RELABEL} "selinux relabel should have happened"
fi
run_podman pod rm -f test_pod
}

I would guess these tests are running on disabled SELinux machines. When I ran them locally they blew up.

[edsantiago]

When I ran them locally they blew up.

Do you still have the command you ran, and the output? I've never seen that test fail, and I often run full bats runs on my laptop (with SELinux enforcing, needless to say). I also confirmed that the test is not being skipped in CI. I think there might be something we're not actually testing.

[rhatdan]

I ran them locally on F34 as root yesterday and it failed, with
podman-3.2.2-1.fc34.x86_64

[edsantiago]

# bats --filter stdin /usr/share/podman/test/system/700-play.bats
 ✓ podman play with stdin

1 test, 0 failures
# rpm -q podman
podman-3.2.2-1.fc34.x86_64

These tests pass all the time in gating. I run them manually, often, on my laptop and on 1mt VMs. If it failed in your setup, I need to know how you invoked it and what the error was. I have to assume it's a problem with your setup or your test invocation.

More importantly, I would like to write a test for this PR, because I don't like PRs going in without tests. I'm trying to figure out a reproducer from #10969 but am having trouble reducing it to something small.

[acastong]

@rhatdan, is this a change we could consider porting over to 3.2.x?

[mheon]

We're done with 3.2.x releases at this point. We are looking towards a 3.3.0 something in early August.

[edsantiago]

We have a problem. We have no tests for this bug fix, no way to catch a regression.

I've spent several hours this week trying to reproduce the failure described in #10969, and can't come up with a test case that fails under pre-10992 podman. That makes me think our 700-play.bats tests are incomplete; I just don't know how to fix them. And I'm giving up because this has become counterproductive for me. Am writing this note because some day this may come back to bite us.