Add support for container creation's selinux_opts attribute

[gjpin]

Solves #135

Hi!

This PR adds support for the selinux_opts attribute, as per https://docs.podman.io/en/latest/_static/api.html#operation/ContainerCreateLibpod .

I've also updated the README file and the tests to support the new attribute.

Thank you!

[lgfa29]

Thanks for the PR @gjpin!

I had to rebase and force-push your branch to fix some conflicts, and I also added a CHANGELOG entry.

[lgfa29]

Hum...actually I just noticed that the tests are failing? Do they require SELinux to be enabled in the environment?

[hashicorp-cla]

All committers have signed the CLA.

[jdoss]

@lgfa29 It looks like the log with the test failures has aged out. Can you rerun them. Looking at the test, is trying to add a SELinux label and then check for it. If SELinux is not enabled, that is going to fail.

[jdoss]

Lookin a bit more. It looks like you can't run the GitHub hosted actions with SELinux enabled. The SELinux team runs a MacOS GH Action with a Fedora Linux VM to run their test suite 🤢

https://github.com/SELinuxProject/selinux/blob/master/.github/workflows/vm_testsuite.yml

[quentin9696]

Hi

Any plan to merge this feature on the master branch ?
I saw that all tests are greens. Do you need something else to merge ?

[lgfa29]

Sorry for the delay here everyone, I'm getting this merged and it will be released soon.

Thank you so much for the contribution @gjpin (and for patience through the slow review process 😅)

[quentin9696]

@lgfa29 thank you for the merge.
I'll test is as soon as it's released !

[lgfa29]

Lookin a bit more. It looks like you can't run the GitHub hosted actions with SELinux enabled. The SELinux team runs a MacOS GH Action with a Fedora Linux VM to run their test suite 🤢

https://github.com/SELinuxProject/selinux/blob/master/.github/workflows/vm_testsuite.yml

Ops, the ✅ was a red herring 😅

Since the commit was just CHANGELOG update, the test suite didn't actually run. I tried this Vagrant approach since we also have a dev Vagrantfile, but I couldn't get it to work and it would take quite a bit of time to investigate, so I will just skip these tests in CI for now.

[quentin9696]

@lgfa29 oh, I thought that was solved :/.

I made a test on my cluster and it works well on my side.

I create a task with selinux_opts = ["disable"]and podman run it with my flag correctly, I'm allow to talk with my socket. When I run the same job without the selinux_opts and got my expected access denied.

I hope you'll find the solution with the macos and vagran hack to enable selinux on a machine. That's sad to see github action disable selinux on their linux machines 👎

[lgfa29]

No worries, I thought it was good too 😅

I'm skipping these two tests for now until we figure out a better way. Hopefuly GitHub will provide something better soon 🤞