Fix relabeling failures with Z/z volumes on Mac

Non-Linux systems, such as BSD kernels, constrain xatter updates according to file permissions. This is in contrast to Linux selinux attr writes, which are governed by an selinux policy. By dafault this policy apllows users to relabel files owned by themselves even if file perms would otherwise disallow write. This results in robust container relabeling results on Linux, and fragile results everywhere else. Therefore, change the mac policy to force the nfs_t context on all files, and ignore all relabel events. As a side-effect, this will disallow any ability to store custom selinux constants on files. However, this is of limited use in a machine context, since files in these volumes are externally managed on systems which do not support SELinux. Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
containers · Apr 8, 2024 · 0b36126 · 0b36126
1 parent 19600fa
commit 0b36126
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/pkg/machine/applehv/machine.go b/pkg/machine/applehv/machine.go
@@ -120,7 +120,7 @@ func generateSystemDFilesForVirtiofsMounts(mounts []machine.VirtIoFs) []ignition
 		mountUnit.Add("Mount", "What", "%s")
 		mountUnit.Add("Mount", "Where", "%s")
 		mountUnit.Add("Mount", "Type", "virtiofs")
-		mountUnit.Add("Mount", "Options", "defcontext=\"system_u:object_r:nfs_t:s0\"")
+		mountUnit.Add("Mount", "Options", "context=\"system_u:object_r:nfs_t:s0\"")
 		mountUnit.Add("Install", "WantedBy", "multi-user.target")
 		mountUnitFile, err := mountUnit.ToString()
 		if err != nil {

diff --git a/pkg/machine/e2e/basic_test.go b/pkg/machine/e2e/basic_test.go
@@ -11,6 +11,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/containers/podman/v5/pkg/machine/define"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega/gexec"
@@ -69,6 +70,37 @@ var _ = Describe("run basic podman commands", func() {
 		Expect(rmCon).To(Exit(0))
 	})
 
+	It("Volume ops", func() {
+		skipIfVmtype(define.HyperVVirt, "FIXME: #21036 - Hyper-V podman run -v fails due to path translation issues")
+
+		tDir, err := filepath.Abs(GinkgoT().TempDir())
+		Expect(err).ToNot(HaveOccurred())
+		roFile := filepath.Join(tDir, "attr-test-file")
+
+		// Create the file as ready-only, since some platforms disallow selinux attr writes
+		// The subsequent Z mount should still succeed in spite of that
+		rf, err := os.OpenFile(roFile, os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0o444)
+		Expect(err).ToNot(HaveOccurred())
+		rf.Close()
+
+		name := randomString()
+		i := new(initMachine).withImage(mb.imagePath).withNow()
+
+		// All other platforms have an implicit mount for the temp area
+		if isVmtype(define.QemuVirt) {
+			i.withVolume(tDir)
+		}
+		session, err := mb.setName(name).setCmd(i).run()
+		Expect(err).ToNot(HaveOccurred())
+		Expect(session).To(Exit(0))
+
+		bm := basicMachine{}
+		// Test relabel works on all platforms
+		runAlp, err := mb.setCmd(bm.withPodmanCommand([]string{"run", "-v", tDir + ":/test:Z", "quay.io/libpod/alpine_nginx", "ls", "/test/attr-test-file"})).run()
+		Expect(err).ToNot(HaveOccurred())
+		Expect(runAlp).To(Exit(0))
+	})
+
 	It("Podman ops with port forwarding and gvproxy", func() {
 		name := randomString()
 		i := new(initMachine)