Skip to content

Long notation of volumes bind mount handle the selinux labels #13397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zhangguanzhang wants to merge 1 commit into from
Closed

Long notation of volumes bind mount handle the selinux labels #13397

zhangguanzhang wants to merge 1 commit into from

Conversation

@zhangguanzhang
Copy link

@zhangguanzhang zhangguanzhang commented Nov 26, 2025

Fixes: #13396

What I did

Related issue

(not mandatory) A picture of a cute animal, if possible in relation to what you did

@zhangguanzhang
Long notation of volumes bind mount handle the selinux labels
d4d187a 
Fixes: docker#13396
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
@zhangguanzhang zhangguanzhang requested a review from a team as a code owner November 26, 2025 02:48
ndeloof
ndeloof requested changes Nov 26, 2025
View reviewed changes
Copy link
Contributor

@ndeloof ndeloof left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

your test case doesn't strictly reproduce #13396 a containers/podman#27600 relies on setting create_host_path: false (so, use the mount API)

Using the long notation, this attribute must be explicitly set (it defaults to true using the short notation)

pkg/compose/create.go
switch {
case bind == nil:
return false
case bind.SELinux != "":
Copy link
Contributor

@ndeloof ndeloof Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has no effect as return false is the default

@zhangguanzhang
Copy link
Author

zhangguanzhang commented Nov 26, 2025

your test case is ok but the fix isn't. The actual root cause is that CreateHostPath isn't set to true by default as it is supposed to be by the spec.

also see compose-spec/compose-go#836

I think I understand. Does it mean this issue should be fixed in the repository https://github.com/compose-spec/compose-go?

@ndeloof
Copy link
Contributor

ndeloof commented Nov 26, 2025
edited
Loading

The root cause is compose-spec/compose-go@978e4cf was missing an update to ServiceVolumeBind.String() to include SELinux

my bad, need one more coffee or read the code more carrefuly :)

@ndeloof ndeloof closed this Nov 26, 2025
@ndeloof
Copy link
Contributor

ndeloof commented Nov 26, 2025
edited
Loading

the actual root cause is that, when using the Mount API, Compose can't set SELinux flag as there's no such option on the mount API (see https://github.com/moby/moby/blob/18d2a08fcf1e02aaccc25482267b714f994ba014/api/types/mount/mount.go#L27)

you can report this to github.com/moby/moby

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndeloof ndeloof ndeloof requested changes

@glours glours Awaiting requested review from glours glours is a code owner automatically assigned from docker/compose-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Long notation of volumes bind mount doesn't apply selinux labels

2 participants

@zhangguanzhang @ndeloof