Add 'relabel' to --mount options #4034
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
approved
|
This should help rectify containers/podman-compose#41 |
|
LGTM |
| @@ -470,6 +470,8 @@ Current supported mount TYPES are bind, and tmpfs. | |||
|
|
|||
| type=bind,source=/path/on/host,destination=/path/in/container | |||
|
|
|||
| type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared | |||
|
|
|||
There was a problem hiding this comment.
Just double checking. src and dst are both valid? The other examples have source and destination
There was a problem hiding this comment.
It is supported and documented in the man page
|
Mount already has volume support.
Also, if we want to match Docker, this should be bind-propagation
…On Mon, Sep 16, 2019, 08:57 Tom Sweeney ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In docs/podman-create.1.md
<#4034 (comment)>:
> @@ -470,6 +470,8 @@ Current supported mount TYPES are bind, and tmpfs.
type=bind,source=/path/on/host,destination=/path/in/container
+ type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
+
Just double checking. src and dst are both valid? The other examples have
source and destination
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4034>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3AOCHCXUVGQSMMXJPFUITQJ57CNANCNFSM4IXBWS6Q>
.
|
|
Man pages don't document volume support. Docker does not look like it supports relabeling at all at least in the man pages. bind-propagation makes no sense for relabelling. |
|
Interesting... Alright, this sounds reasonable, then. |
rhatdan
force-pushed
the
relabel
branch
2 times, most recently
from
964dda8 to
3578086
Compare
|
Added docs for volume support. |
pkg/spec/storage.go
Outdated
| @@ -467,6 +467,22 @@ func getBindMount(args []string) (spec.Mount, error) { | |||
| } | |||
| newMount.Destination = kv[1] | |||
| setDest = true | |||
| case "relabel": | |||
| if setRelabel { | |||
| return newMount, errors.Wrapf(optionArgError, "cannot pass 'ro' or 'rw' options more than once") | |||
|
LGTM once my comment nit is addressed |
|
:z and :Z tend to be considered dangerous, and maybe it is going to be deprecated for Moby/Docker Why not let users to chcon explicitly? |
Currently if a user specifies a --mount option, their is no way to tell SELinux to relabel the mount point. This patch addes the relabel=shared and relabel=private options. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
@AkihiroSuda You can not chroot explicity except for shared. Since the container engine picks out the label, it can not be done as a private lable. Always labeling as shared, means all of the containers would have the ability to modify content and potentially cause containers to be attacked. If you want to volume mount in /var/lib/mariadb into a container that is running mariadb, then you want the database to be private to the container. |
github-actions
bot
added
the
locked - please file new issue/PR
Currently if a user specifies a --mount option, their is no way to tell SELinux
to relabel the mount point.
This patch addes the relabel=shared and relabel=private options.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com