Conversation
ningmingxiao
force-pushed
the
selinux_support
branch
7 times, most recently
from
d69b7e0 to
2eaa687
Compare
ningmingxiao
changed the title
ningmingxiao
force-pushed
the
selinux_support
branch
from
2eaa687 to
1e356d6
Compare
ningmingxiao
force-pushed
the
selinux_support
branch
from
1e356d6 to
56a8926
Compare
| if err != nil { | ||
| output := strings.TrimSpace(string(stdout)) | ||
| if strings.Contains(output, "container_t") { | ||
| t.Fatal(fmt.Errorf("expect label container_t but get %s", output)) |
There was a problem hiding this comment.
The uniqueness of the MCS categories have to be checked too?
There was a problem hiding this comment.
what do you think how to check? @AkihiroSuda
There was a problem hiding this comment.
Just run multiple containers and check that the MCS categories are different
There was a problem hiding this comment.
because nerdctl doesn't save selinux label into db, nerdctl is a brief process, so may have chance to have same MCS categories . may be I should refer container id to keep special.
There was a problem hiding this comment.
what's the disadvantage if 2 containers have same MCS categories ?
There was a problem hiding this comment.
or we should let containerd call label.InitLabels(labelOpts) instead of let nerdctl create it @AkihiroSuda
ningmingxiao
force-pushed
the
selinux_support
branch
from
56a8926 to
a210aa3
Compare
ningmingxiao
force-pushed
the
selinux_support
branch
5 times, most recently
from
ec3feb9 to
977dba6
Compare
| selinux_enabled= true | ||
| ``` | ||
|
|
||
| ## Properties |
There was a problem hiding this comment.
I don't understand what you meean ? about selinux_enabled= true @AkihiroSuda
| { | ||
| Description: "test run with selinux-enabled", | ||
| Command: func(data test.Data, helpers test.Helpers) test.TestableCommand { | ||
| return helpers.Command("--selinux-enabled", "run", "-d", "-v", fmt.Sprintf("/%s:/%s:Z", testContainer, testContainer), "--name", testContainer, "sleep", "infinity") |
There was a problem hiding this comment.
lower z should be tested too
https://docs.docker.com/engine/storage/bind-mounts/#configure-the-selinux-label
The z option indicates that the bind mount content is shared among multiple containers.
The Z option indicates that the bind mount content is private and unshared.
This should be verified by launching multiple containers
|
Needs rebase |
ningmingxiao
force-pushed
the
selinux_support
branch
3 times, most recently
from
565bbde to
59bc5ef
Compare
done |
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
ningmingxiao
force-pushed
the
selinux_support
branch
from
59bc5ef to
e32acb4
Compare
|
do we need add a new api in containerd to manage selinuxlabel ? because " label.InitLabels(labelOptions)" should run on server to keep unique @AkihiroSuda |
ChengyuZhu6
left a comment
ChengyuZhu6
left a comment
There was a problem hiding this comment.
@ningmingxiao I’ve left a few comments; please take a look.
| base.Cmd("run", "--rm", "--privileged", testutil.AlpineImage, "cat", attrCurrentPath).AssertOutContains("unconfined") | ||
| } | ||
|
|
||
| func TestRunSelinuxWithSecurityOpt(t *testing.T) { |
There was a problem hiding this comment.
missing testCase.Run(t), subtests will not actually run.
| }, | ||
| } | ||
| } | ||
| func TestRunSelinux(t *testing.T) { |
| } | ||
| } | ||
|
|
||
| func TestRunSelinuxWithVolumeLabel(t *testing.T) { |
| opts = append(opts, WithSelinuxLabel(processLabel, mountLabel)) | ||
| } | ||
| // if selinux-enabled=true and security-opt selinux label is not set. | ||
| if selinuxEnabled && len(labelOpts) == 0 { |
There was a problem hiding this comment.
When running with --privileged, SELinux labels should be disabled. From Docker docs: https://docs.docker.com/reference/cli/docker/container/run/#privileged
There was a problem hiding this comment.
missing selinux_enabled from Properties table.
| Command: func(data test.Data, helpers test.Helpers) test.TestableCommand { | ||
| return helpers.Command("--selinux-enabled", "run", "-d", "-v", fmt.Sprintf("/%s:/%s:Z", testContainer, testContainer), "--name", testContainer, "sleep", "infinity") | ||
| }, | ||
| Cleanup: func(data test.Data, helpers test.Helpers) { | ||
| helpers.Anyhow("rm", "-f", testContainer) | ||
| }, |
There was a problem hiding this comment.
The test creates a directory at /{testContainer} on the host via the -v flag with :Z option, but the Cleanup function only removes the container, not the directory.
|
ok I will fix it later I'm fixing selinux name conflict. @ChengyuZhu6 |
3 participants
ping @AkihiroSuda