Bug 1811773
| Summary: | [RFE] cockpit-podman ability to set selinux contexts for volumes | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Klaas Demter <klaas> |
| Component: | cockpit-podman | Assignee: | Jindrich Novy <jnovy> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Ščotka <jscotka> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | apmukher, dornelas, jnovy, klaas, kwalker, mmarusak, mpitt, ypu |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | 8.4 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | cockpit-podman-25-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:32:55 UTC | Type: | Feature Request |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1186913 | ||
Test with cockpit-podman-28.1-1.module+el8.4.0+10073+30e5ea69.noarch and seems the Z/z flag is not work as expected:
Create a container with share/private from cockpit-podman website, and check the container with inspect in the host. And the Mode Z/z is not set as expect:
# podman inspect romantic_elgamal --format "{{.Mounts}}"
[{bind /mnt/mytest /mnt [rbind] true rprivate}]
@ypu , this is not the correct way to test that. Mode z/Z has *no influence* on the mount, it is a file system property on the host on the bind mounted directory. E.g.
$ mkdir data
$ ls -ldZ data
drwxr-xr-x. 2 martin martin unconfined_u:object_r:user_tmp_t:s0 40 23. Feb 06:30 data
$ podman run -it -v ./data:/data:z registry.fedoraproject.org/fedora sleep infinity
$ ls -lZd data
drwxr-xr-x. 2 martin martin system_u:object_r:container_file_t:s0 40 23. Feb 06:30 data
^^ see how the z changed the type of the directory to container_file_t
$ podman inspect sharp_babbage --format "{{.Mounts}}"
[{bind /tmp/data /data [nosuid nodev rbind] true rprivate}]
The real test is whether you can access the directory inside the container with SELinux enabled:
$ podman exec sharp_babbage touch /data/hello.txt
$ ls -l data/hello.txt
-rw-r--r--. 1 martin martin 0 23. Feb 06:34 data/hello.txt
Without z/Z this would not work.
Hi Martin, Thanks a lot for the information. I used to use a named volume with -v and the lable is shows in the Mounts. But you are right it is different from the directory mount. And double checked with cockpit-podman and both private and shared mode works as expected. So set this to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1796 |
Description of problem: I would like to be able to specify selinux options for volumes based on hostdirs. Currently I can only select read only or readwrite, it is missing the z and Z options. From podman-run manpage: To change a label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman that two containers share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Podman to label the content with a private unshared label. Only the current container can use a private volume. There was a bug against cockpit-docker but it was never finished: https://github.com/cockpit-project/cockpit/issues/7181 https://github.com/cockpit-project/cockpit/pull/9416 Version-Release number of selected component (if applicable): cockpit-podman-11-1.module+el8.1.1+5259+bcdd613a. How reproducible: Create container from cockpit dashboard, only options you can select are readonly or readwrite Actual results: Unable to set z/Z option for a hostdir volume Expected results: Able to set z/Z option for a hostdir volume