Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for selinux in verbose bind mount specification #911

Merged
merged 2 commits into from
May 19, 2024
Merged

Add support for selinux in verbose bind mount specification #911

merged 2 commits into from
May 19, 2024

Conversation

charliemirabile
Copy link
Contributor

As specified here in the compose schema: https://github.com/compose-spec/compose-spec/blob/c35d19323fdfd7dbf9db30022498e29ef5ebeab2/schema/compose-spec.json#L382-L388

and described here in the compose spec: https://github.com/compose-spec/compose-spec/blob/master/05-services.md#long-syntax-5

it should be possible to specify selinux relabeling for a bind mount specified using the verbose syntax (as opposed to the terse syntax which already works). This PR adds support for this syntax in podman compose to achieve parity with docker compose in this area.

@charliemirabile
add support for selinux in verbose mount
d7cf096 
This corresponds to specifying the `z` or `Z` option in the third
portion of a terse mount specification (i.e. src:trg:z)

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
@charliemirabile
add tests for selinux with verbose bind mount
3e1f7d5 
based on seccomp test. Without the selinux option, visiting localhost:8080
will give a 404 error because httpd cannot access the file, but with selinux: z
the context for the file will be appropriately updated so httpd can access it

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
p12tic
p12tic reviewed Apr 17, 2024
View reviewed changes
podman_compose.py
@@ -431,6 +431,11 @@ def mount_desc_to_mount_args(compose, mount_desc, srv_name, cnt_name): # pylint
tmpfs_mode = tmpfs_opts.get("mode", None)
if tmpfs_mode:
opts.append(f"tmpfs-mode={tmpfs_mode}")
if mount_type == "bind":
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a test for the function this code lives in in pytests/

p12tic
p12tic reviewed Apr 17, 2024
View reviewed changes
podman_compose.py
@@ -486,6 +491,12 @@ def mount_desc_to_volume_args(compose, mount_desc, srv_name, cnt_name): # pylin
read_only = mount_desc.get("read_only", None)
if read_only is not None:
opts.append("ro" if read_only else "rw")
if mount_type == "bind":
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a test for the function this code lives in in pytests/

p12tic
p12tic requested changes Apr 17, 2024
View reviewed changes
Copy link
Collaborator

@p12tic p12tic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but needs tests.

@muayyad-alsadi muayyad-alsadi merged commit 5d4de80 into containers:main May 19, 2024
8 checks passed
@p12tic
Copy link
Collaborator

p12tic commented May 20, 2024

@muayyad-alsadi Please don't merge PRs that have unaddressed concerns raised

@p12tic p12tic mentioned this pull request May 20, 2024
Closed
charliemirabile added a commit to charliemirabile/podman-compose that referenced this pull request May 21, 2024
@charliemirabile
test: add missing unit tests for selinux in verbose mount
a8ef669 
Support for setting the selinux flags on a bind mount specified using
the verbose syntax was merged as part of containers#911, but at that time the PR
lacked unit tests. This commit adds the missing tests

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
charliemirabile added a commit to charliemirabile/podman-compose that referenced this pull request May 21, 2024
@charliemirabile
test: add missing unit tests for selinux in verbose mount
3bf5947 
Support for setting the selinux flags on a bind mount specified using
the verbose syntax was merged as part of containers#911, but at that time the PR
lacked unit tests. This commit adds the missing tests

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
@charliemirabile charliemirabile mentioned this pull request May 21, 2024
Merged
charliemirabile added a commit to charliemirabile/podman-compose that referenced this pull request May 21, 2024
@charliemirabile
test: add missing unit tests for selinux in verbose mount
baea8c3 
Support for setting the selinux flags on a bind mount specified using
the verbose syntax was merged as part of containers#911, but at that time the PR
lacked unit tests. This commit adds the missing tests

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
charliemirabile added a commit to charliemirabile/podman-compose that referenced this pull request May 21, 2024
@charliemirabile
test: add missing unit tests for selinux in verbose mount
b513f50 
Support for setting the selinux flags on a bind mount specified using
the verbose syntax was merged as part of containers#911, but at that time the PR
lacked unit tests. This commit adds the missing tests

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
@charliemirabile charliemirabile deleted the selinux branch May 22, 2024 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p12tic p12tic p12tic requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@charliemirabile @p12tic @muayyad-alsadi