Add relabel option to secrets #1210
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On selinux enabled system, the secrets cannot be read without proper relabeling or correct policy being set. This patch enables user to instruc podman-copose to use :z or :Z mount options to make podman relabel the file under bind-mount. More info here: https://unix.stackexchange.com/questions/728801/host-wide-consequences-of-setting-selinux-z-z-option-on-container-bind-mounts?rq=1 Signed-off-by: Jaroslav Henner <1187265+jarovo@users.noreply.github.com>
|
Is this part of compose spec? Seems that no. In such case it should be named with |
Thanks for the suggestion. It is not a part of the docker-compose spec and i don't know about any equivalent option there. What about changig this to zzmount? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On selinux enabled system, the secrets cannot be read without proper relabeling or correct policy being set.
This patch enables user to instruc podman-copose to use :z or :Z mount options to make podman relabel the file under bind-mount.
More info here:
https://unix.stackexchange.com/questions/728801/host-wide-consequences-of-setting-selinux-z-z-option-on-container-bind-mounts?rq=1
Contributor Checklist:
If this PR adds a new feature that improves compatibility with docker-compose, please add a link
to the exact part of compose spec that the PR touches.
For any user-visible change please add a release note to newsfragments directory, e.g.
newsfragments/my_feature.feature. See newsfragments/README.md for more details.
All changes require additional unit tests.