podman run volume mount option "z" does not relabel mount point and contents

[vikas-goel]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

When a volume is mounted to a container with SELinux z option with podman run command, the volume remains unlabeled. The z option has no effect. The container processes cannot access the mount point and the contents.

Steps to reproduce the issue:

1. Create a persistent named volume podman volume create --driver <driver-name> nbconf

2. Start a container with the volume podman run -dt --volume nbconf:/mnt/nbconf:z --name tme-mas-02 <container-image>

3. Access the mount point inside the container podman exec -it tme-mas-02 bash followed by ls -l /mnt/nbconf

Describe the results you received:

# podman exec -it tme-mas-02 bash
bash-4.2# ls -l /mnt/nbconf
ls: cannot open directory /mnt/nbconf: Permission denied
bash-4.2# ls -Zd /mnt/nbconf
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 /mnt/nbconf
bash-4.2#

Describe the results you expected:
The expected result is that the mount point and contents are relabeled to container_file_t. Docker does it when z option is specified.

bash-4.2# ls -Zd /mnt/nbconf
drwxr-xr-x. root root system_u:object_r:container_file_t:s0 /mnt/nbconf
bash-4.2#

Additional information you deem important (e.g. issue happens only occasionally):
Consistent

Output of podman version:

Version:      3.0.2-dev
API Version:  3.0.0
Go Version:   go1.15.7
Built:        Tue Mar  2 07:10:06 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.4
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.26-1.module+el8.4.0+10198+36d1d0e3.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.26, commit: 0a5175681bdd52b99f1f0f442cbba8f8c126a1c9'
  cpus: 8
  distribution:
    distribution: '"rhel"'
    version: "8.4"
  eventLogger: file
  hostname: flex-vm-02.dc2.ros2100.veritas.com
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-293.el8.x86_64
  linkmode: dynamic
  memFree: 8781361152
  memTotal: 33511845888
  ociRuntime:
    name: runc
    package: runc-1.0.0-70.rc92.module+el8.4.0+10198+36d1d0e3.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.2-dev'
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 16910032896
  swapTotal: 16924012544
  uptime: 66h 45m 19.64s (Approximately 2.75 days)
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 2
    stopped: 3
  graphDriverName: overlay
  graphOptions:
    overlay2.size: 10G
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 3
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1614697806
  BuiltTime: Tue Mar  2 07:10:06 2021
  GitCommit: ""
  GoVersion: go1.15.7
  OsArch: linux/amd64
  Version: 3.0.2-dev

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.0.1-3.module+el8.4.0+10198+36d1d0e3.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

No

Additional environment details (AWS, VirtualBox, physical, etc.):
Red Hat Enterprise Linux 8.4 Beta
VMware virtual machine

[rhatdan]

What kind of file system is mounted at /mnt/nbconf?

This works perfectly for me:

# podman run --volume nbconf:/mnt/nbconf:z --rm fedora ls -ldZ /mnt/nbconf
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0 6 May 10 13:30 /mnt/nbconf
$ podman run --volume nbconf:/mnt/nbconf:z --rm fedora ls -ldZ /mnt/nbconf
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0 4096 May 10 13:29 /mnt/nbconf
$ podman -v
podman version 3.2.0-rc1

[vikas-goel]

Hi @rhatdan ,
It is a loop device. https://github.com/vikas-goel/filevol

[mheon]

That explains it. I deliberately disabled labeling of volume plugins given that they may be different devices not managed by Podman. Does Docker relabel these?

…

On Mon, May 10, 2021 at 10:58 Vikas Goel ***@***.***> wrote: Hi @rhatdan <https://github.com/rhatdan> , It is a loop device. https://github.com/vikas-goel/filevol — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#10273 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCDHPJSOQRDLRMYN5SDTM7YAJANCNFSM44LLCOXA> .

[vikas-goel]

Yes, Docker relabels all kinds of volumes to container_file_t when z is specified. Docker supports uppercase Z too that would set MCS of the container on the volume and contents.

[mheon]

Ok. Simple fix, then - should be in Podman 3.2, RHEL 8.4.0.2

…

On Mon, May 10, 2021 at 11:08 Vikas Goel ***@***.***> wrote: Yes, Docker relabels all kinds of volumes. Docker supports uppercase Z too that would set MCS of the container on the volume and contents. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#10273 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCAMZD3A7JRUV5XSZVTTM7ZG3ANCNFSM44LLCOXA> .

[vikas-goel]

Thanks @mheon . What's the plan to introduce uppercase Z support?

[mheon]

Same change will do both

…

On Mon, May 10, 2021 at 12:41 Vikas Goel ***@***.***> wrote: Thanks @mheon <https://github.com/mheon> . What's the plan to introduce uppercase Z support? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10273 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCCLRW7AY3NK27D2W5DTNAEDTANCNFSM44LLCOXA> .

[vikas-goel]

Fantastic. The podman manual/doc does not talk about uppercase Z support.

[vikas-goel]

The uppercase Z is not effective on local volumes. No MCS category ids get set.

[mheon]

Yeah, this has proved to be a bit more complex than I expected. I’ll take a further look on Thursday.

…

On Mon, May 10, 2021 at 17:24 Vikas Goel ***@***.***> wrote: The uppercase Z is not effective on local volumes. No MCS category ids get set. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10273 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCDC3SNHJRHFB7CXQUTTNBFJXANCNFSM44LLCOXA> .

[vikas-goel]

Thank you @mheon. I can verify the fix on my setup if I get a package for RHEL8.4 Beta.

[vikas-goel]

Hi guys (@mheon , @rhatdan),
Is podman 3.2.2 package going to be available for Centos 8?

[mheon]

8, or Stream 8? It ought to be in Stream 8 already. I don't know whether non-Stream 8 will update to 8.4.x before it EOLs, but if it does it will include this.

[vikas-goel]

Yes, Stream-8. The latest version there is 3.1.0.

http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/

Am I looking at wrong location?

[rhatdan]

@jnovy @lsm5 PTAL?

I think once we build a podman 3.2 for RHEL it will show up in Centos Stream. Perhaps we have not done this yet. Centos 8 will get it after RHEL8.5 is released. (Likely Podman 3.3)