diff --git a/server/container_create.go b/server/container_create.go index 9e3f5670..042581f3 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -45,7 +45,7 @@ const ( defaultSystemdParent = "system.slice" ) -func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) { +func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) { volumes := []oci.ContainerVolume{} mounts := containerConfig.GetMounts() for _, mount := range mounts { @@ -73,7 +73,7 @@ func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, if mount.SelinuxRelabel { // Need a way in kubernetes to determine if the volume is shared or private - if err := label.Relabel(src, sb.MountLabel(), true); err != nil && err != unix.ENOTSUP { + if err := label.Relabel(src, mountLabel, true); err != nil && err != unix.ENOTSUP { return nil, fmt.Errorf("relabel failed %s: %v", src, err) } } @@ -519,7 +519,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, specgen.HostSpecific = true specgen.ClearProcessRlimits() - containerVolumes, err := addOCIBindMounts(sb, containerConfig, &specgen) + processLabel, mountLabel, err := getSELinuxLabels(containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions()) + if err != nil { + return nil, err + } + + containerVolumes, err := addOCIBindMounts(mountLabel, containerConfig, &specgen) if err != nil { return nil, err } @@ -703,7 +708,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } } } - specgen.SetProcessSelinuxLabel(sb.ProcessLabel()) + specgen.SetProcessSelinuxLabel(processLabel) } specgen.SetLinuxMountLabel(sb.MountLabel()) @@ -818,15 +823,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, options = []string{"ro"} } if sb.ResolvPath() != "" { - // TODO: selinux - // label.Relabel(sb.ResolvPath(), container.MountLabel, shared) + if err := label.Relabel(sb.ResolvPath(), mountLabel, true); err != nil && err != unix.ENOTSUP { + return nil, err + } // bind mount the pod resolver file specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options) } if sb.HostnamePath() != "" { - // TODO: selinux + if err := label.Relabel(sb.HostnamePath(), mountLabel, true); err != nil && err != unix.ENOTSUP { + return nil, err + } specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options) } @@ -884,7 +892,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, containerName, containerID, metaname, attempt, - sb.MountLabel(), + mountLabel, nil) if err != nil { return nil, err @@ -907,7 +915,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } // Add image volumes - if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, sb.MountLabel()); err != nil { + if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, mountLabel); err != nil { return nil, err } diff --git a/server/sandbox_run.go b/server/sandbox_run.go index d5e6ecc4..887a846e 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -203,8 +203,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest } return nil, err } - // TODO: selinux - // label.Relabel(sb.ResolvPath(), container.MountLabel, shared) + if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP { + return nil, err + } g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"}) } @@ -464,7 +465,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil { return nil, err } - // TODO: selinux relabel + if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP { + return nil, err + } g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"}) g.AddAnnotation(annotations.HostnamePath, hostnamePath) sb.AddHostnamePath(hostnamePath)