Add support for Selinux mount context labels #393
Conversation
|
@crosbymichael @LK4D4 ping |
|
Why does this not get placed in the Mount.Options array? |
|
@crosbymichael This is for convenience. We could pass it to individual mounts as well. (We had a MountLabel in libcontainer configuration). |
|
An argument in favor is that the value of the label is the same for all the mount points (that we need to label). |
|
Could it every need to be different or will it always be the same? |
|
AFAIK it wouldn't be but would defer to @rhatdan on that. |
config-linux.md
Outdated
| ###### Example | ||
|
|
||
| ```json | ||
| "mountLabel": [ |
There was a problem hiding this comment.
This should not be an array [] right?
|
ok, looking at the existing code this looks good. Only thing is that your json example has this as an array and not just a string |
|
@crosbymichael Fixed. |
|
LGTM |
|
Right now we are still always planning on labeling content inside of the container with the same label. |
|
@mrunalp would you mind adding it to the JSON schema too? otherwise I can do a follow-up PR. |
|
LGTM based on your response ^^ |
|
I'll add it. Sent from my iPhone
|
|
@vbatts Added to schema. |
| ###### Example | ||
|
|
||
| ```json | ||
| "mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811" |
There was a problem hiding this comment.
sorry. One more nit. Please add this line to the "complete json" example in the config.md.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
|
|
||
| ## Mount Label | ||
|
|
||
| `mountLabel` will set the Selinux context for the mounts in the container. |
There was a problem hiding this comment.
Do we want cross-links between this and config.md's process.selinuxLabel? I expect folks interested in one would also be interested in the other.
|
LGTM |
5 participants
Signed-off-by: Mrunal Patel mrunalp@gmail.com