Merge pull request #4639 from ningmingxiao/selinux_support

ChengyuZhu6 · web-flow · commit d39281db3d03 · 2026-04-26T11:02:19.000+08:00
feature: support selinux
diff --git a/cmd/nerdctl/container/container_run_security_linux_test.go b/cmd/nerdctl/container/container_run_security_linux_test.go
@@ -26,9 +26,14 @@ import (
 
 	"gotest.tools/v3/assert"
 
+	"github.com/containerd/nerdctl/mod/tigron/expect"
+	"github.com/containerd/nerdctl/mod/tigron/test"
+	"github.com/containerd/nerdctl/mod/tigron/tig"
+
 	"github.com/containerd/nerdctl/v2/pkg/apparmorutil"
 	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
+	"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
 )
 
 func getCapEff(base *testutil.Base, args ...string) uint64 {
@@ -186,6 +191,106 @@ func TestRunApparmor(t *testing.T) {
 	base.Cmd("run", "--rm", "--privileged", testutil.AlpineImage, "cat", attrCurrentPath).AssertOutContains("unconfined")
 }
 
+func TestRunSelinuxWithSecurityOpt(t *testing.T) {
+	testCase := nerdtest.Setup()
+	testCase.Require = nerdtest.Selinux
+	testContainer := testutil.Identifier(t)
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "test run with selinux-enabled",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("--selinux-enabled", "run", "-d", "--security-opt", "label=type:container_t", "--name", testContainer, "sleep", "infinity")
+			},
+			Cleanup: func(data test.Data, helpers test.Helpers) {
+				helpers.Anyhow("rm", "-f", testContainer)
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					ExitCode: 0,
+					Output: expect.All(
+						func(stdout string, t tig.T) {
+							inspectOut := helpers.Capture("container", "inspect", "--format", "{{.State.Pid}}", testContainer)
+							pid := strings.TrimSpace(inspectOut)
+							fileName := fmt.Sprintf("/proc/%s/attr/current", pid)
+							data, err := os.ReadFile(fileName)
+							assert.NilError(t, err)
+							assert.Equal(t, strings.Contains(string(data), "container_t"), true)
+						},
+					),
+				}
+			},
+		},
+	}
+	testCase.Run(t)
+}
+func TestRunSelinux(t *testing.T) {
+	testCase := nerdtest.Setup()
+	testCase.Require = nerdtest.Selinux
+	testContainer := testutil.Identifier(t)
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "test run with selinux-enabled",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("--selinux-enabled", "run", "-d", "--name", testContainer, "sleep", "infinity")
+			},
+			Cleanup: func(data test.Data, helpers test.Helpers) {
+				helpers.Anyhow("rm", "-f", testContainer)
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					ExitCode: 0,
+					Output: expect.All(
+						func(stdout string, t tig.T) {
+							inspectOut := helpers.Capture("container", "inspect", "--format", "{{.State.Pid}}", testContainer)
+							pid := strings.TrimSpace(inspectOut)
+							fileName := fmt.Sprintf("/proc/%s/attr/current", pid)
+							data, err := os.ReadFile(fileName)
+							assert.NilError(t, err)
+							assert.Equal(t, strings.Contains(string(data), "container_t"), true)
+						},
+					),
+				}
+			},
+		},
+	}
+	testCase.Run(t)
+}
+
+func TestRunSelinuxWithVolumeLabel(t *testing.T) {
+	testCase := nerdtest.Setup()
+	testCase.Require = nerdtest.Selinux
+	testContainer := testutil.Identifier(t)
+
+	testCase.SubTests = []*test.Case{
+		{
+			Description: "test run with selinux-enabled",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("--selinux-enabled", "run", "-d", "-v", fmt.Sprintf("/%s:/%s:Z", testContainer, testContainer), "--name", testContainer, "sleep", "infinity")
+			},
+			Cleanup: func(data test.Data, helpers test.Helpers) {
+				helpers.Anyhow("rm", "-f", testContainer)
+				os.RemoveAll(fmt.Sprintf("/%s", testContainer))
+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					ExitCode: 0,
+					Output: expect.All(
+						func(stdout string, t tig.T) {
+							cmd := exec.Command("ls", "-Z", fmt.Sprintf("/%s", testContainer))
+							lsStdout, err := cmd.CombinedOutput()
+							assert.NilError(t, err)
+							assert.Equal(t, strings.Contains(string(lsStdout), "container_t"), true)
+						},
+					),
+				}
+			},
+		},
+	}
+	testCase.Run(t)
+}
+
 // TestRunSeccompCapSysPtrace tests https://github.com/containerd/nerdctl/issues/976
 func TestRunSeccompCapSysPtrace(t *testing.T) {
 	base := testutil.NewBase(t)
diff --git a/cmd/nerdctl/helpers/flagutil.go b/cmd/nerdctl/helpers/flagutil.go
@@ -154,6 +154,10 @@ func ProcessRootCmdFlags(cmd *cobra.Command) (types.GlobalCommandOptions, error)
 		return types.GlobalCommandOptions{}, err
 	}
 
+	selinuxEnabled, err := cmd.Flags().GetBool("selinux-enabled")
+	if err != nil {
+		return types.GlobalCommandOptions{}, err
+	}
 	// Point to dataRoot for filesystem-helpers implementing rollback / backups.
 	err = fs.InitFS(dataRoot)
 	if err != nil {
@@ -180,6 +184,7 @@ func ProcessRootCmdFlags(cmd *cobra.Command) (types.GlobalCommandOptions, error)
 		DNS:              dns,
 		DNSOpts:          dnsOpts,
 		DNSSearch:        dnsSearch,
+		SelinuxEnabled:   selinuxEnabled,
 	}, nil
 }
 
diff --git a/cmd/nerdctl/main.go b/cmd/nerdctl/main.go
@@ -191,6 +191,7 @@ func initRootCmdFlags(rootCmd *cobra.Command, tomlPath string) (*pflag.FlagSet,
 	helpers.AddPersistentStringFlag(rootCmd, "host-gateway-ip", nil, nil, nil, aliasToBeInherited, cfg.HostGatewayIP, "NERDCTL_HOST_GATEWAY_IP", "IP address that the special 'host-gateway' string in --add-host resolves to. Defaults to the IP address of the host. It has no effect without setting --add-host")
 	helpers.AddPersistentStringFlag(rootCmd, "bridge-ip", nil, nil, nil, aliasToBeInherited, cfg.BridgeIP, "NERDCTL_BRIDGE_IP", "IP address for the default nerdctl bridge network")
 	rootCmd.PersistentFlags().Bool("kube-hide-dupe", cfg.KubeHideDupe, "Deduplicate images for Kubernetes with namespace k8s.io")
+	rootCmd.PersistentFlags().Bool("selinux-enabled", cfg.SelinuxEnabled, "Enable selinux support")
 	rootCmd.PersistentFlags().StringSlice("cdi-spec-dirs", cfg.CDISpecDirs, "The directories to search for CDI spec files. Defaults to /etc/cdi,/var/run/cdi")
 	rootCmd.PersistentFlags().String("userns-remap", cfg.UsernsRemap, "Support idmapping for creating and running containers. This options is only supported on linux. If `host` is passed, no idmapping is done. if a user name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively")
 	helpers.HiddenPersistentStringArrayFlag(rootCmd, "global-dns", cfg.DNS, "Global DNS servers for containers")
diff --git a/docs/command-reference.md b/docs/command-reference.md
@@ -255,6 +255,7 @@ Security flags:
 
 - :whale: `--security-opt seccomp=<PROFILE_JSON_FILE>`: specify custom seccomp profile
 - :whale: `--security-opt apparmor=<PROFILE>`: specify custom AppArmor profile
+  :whale: `--security-opt label=<selinuxlabel>`: specify custom selinux label
 - :whale: `--security-opt no-new-privileges`: disallow privilege escalation, e.g., setuid and file capabilities
 - :whale: `--security-opt systempaths=unconfined`: Turn off confinement for system paths (masked paths, read-only paths) for the container
 - :whale: `--security-opt writable-cgroups`: making the cgroups writeable
@@ -1977,6 +1978,7 @@ Flags:
 - :nerd_face: `--host-gateway-ip`: IP address that the special 'host-gateway' string in --add-host resolves to. It has no effect without setting --add-host
   - Default: the IP address of the host
 - :nerd_face: `--userns-remap=<username>:<groupname>`: Support idmapping of containers. This options is only supported on rootful linux for container create and run if a user name and optionally group name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively. Note: `--userns-remap` is not supported for building containers. Nerdctl Build doesn't support userns-remap feature. (format: <name|uid>[:<group|gid>])
+- :nerd_face: `--selinux-enabled`: Enable selinux support
 
 The global flags can be also specified in `/etc/nerdctl/nerdctl.toml` (rootful) and `~/.config/nerdctl/nerdctl.toml` (rootless).
 See [`./config.md`](./config.md).
diff --git a/docs/config.md b/docs/config.md
@@ -30,6 +30,7 @@ userns_remap   = ""
 dns            = ["8.8.8.8", "1.1.1.1"]
 dns_opts       = ["ndots:1", "timeout:2"]
 dns_search     = ["example.com", "example.org"]
+selinux_enabled= true
 ```
 
 ## Properties
@@ -56,6 +57,7 @@ dns_search     = ["example.com", "example.org"]
 | `dns`               |                                    |                           | Set global DNS servers for containers                                                                                                                  | Since 2.1.3 |
 | `dns_opts`          |                                    |                           | Set global DNS options for containers                                                                                                                         | Since 2.1.3 |
 | `dns_search`        |                                    |                           | Set global DNS search domains for containers                                                                                                           | Since 2.1.3 |
+| `selinux_enabled`        |                                    |                           |Enable selinux support for containers                                                                                                           | Since 2.3.0 |
 
 The properties are parsed in the following precedence:
 1. CLI flag
diff --git a/go.mod b/go.mod
@@ -54,6 +54,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/opencontainers/runtime-spec v1.3.0
+	github.com/opencontainers/selinux v1.13.1
 	github.com/pelletier/go-toml/v2 v2.3.0
 	github.com/rootless-containers/bypass4netns v0.4.2 //gomodjail:unconfined
 	github.com/rootless-containers/rootlesskit/v3 v3.0.0 //gomodjail:unconfined
@@ -148,6 +149,7 @@ require (
 )
 
 require (
+	cyphar.com/go-pathrs v0.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/moby/moby/api v1.54.2 // indirect
 	github.com/moby/sys/capability v0.4.0 // indirect
diff --git a/pkg/cmd/container/run_linux.go b/pkg/cmd/container/run_linux.go
@@ -71,7 +71,7 @@ func setPlatformOptions(ctx context.Context, client *containerd.Client, id, uts
 	}
 	opts = append(opts, capOpts...)
 	securityOptsMaps := strutil.ConvertKVStringsToMap(strutil.DedupeStrSlice(options.SecurityOpt))
-	secOpts, err := generateSecurityOpts(options.Privileged, securityOptsMaps)
+	secOpts, err := generateSecurityOpts(options.Privileged, options.GOptions.SelinuxEnabled, securityOptsMaps)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/cmd/container/run_security_linux.go b/pkg/cmd/container/run_security_linux.go
@@ -17,14 +17,19 @@
 package container
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 	"sync"
 
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
+
 	"github.com/containerd/containerd/v2/contrib/apparmor"
 	"github.com/containerd/containerd/v2/contrib/seccomp"
+	"github.com/containerd/containerd/v2/core/containers"
 	"github.com/containerd/containerd/v2/pkg/cap"
 	"github.com/containerd/containerd/v2/pkg/oci"
 	"github.com/containerd/log"
@@ -51,10 +56,10 @@ const (
 	systemPathsUnconfined = "unconfined"
 )
 
-func generateSecurityOpts(privileged bool, securityOptsMap map[string]string) ([]oci.SpecOpts, error) {
+func generateSecurityOpts(privileged bool, selinuxEnabled bool, securityOptsMap map[string]string) ([]oci.SpecOpts, error) {
 	for k := range securityOptsMap {
 		switch k {
-		case "seccomp", "apparmor", "no-new-privileges", "systempaths", "privileged-without-host-devices", "writable-cgroups":
+		case "seccomp", "apparmor", "no-new-privileges", "systempaths", "privileged-without-host-devices", "writable-cgroups", "label":
 		default:
 			log.L.Warnf("unknown security-opt: %q", k)
 		}
@@ -95,6 +100,18 @@ func generateSecurityOpts(privileged bool, securityOptsMap map[string]string) ([
 			opts = append(opts, apparmor.WithProfile(defaults.AppArmorProfileName))
 		}
 	}
+	// TODO: should set unique MCS categorie.
+	if !privileged && selinuxEnabled {
+		var labelOpts []string
+		if selinuxLabel, ok := securityOptsMap["label"]; ok {
+			labelOpts = append(labelOpts, selinuxLabel)
+		}
+		processLabel, mountLabel, err := label.InitLabels(labelOpts)
+		if err != nil {
+			return nil, err
+		}
+		opts = append(opts, WithSelinuxLabel(processLabel, mountLabel))
+	}
 
 	nnp, err := maputil.MapBoolValueAsOpt(securityOptsMap, "no-new-privileges")
 	if err != nil {
@@ -141,6 +158,21 @@ func generateSecurityOpts(privileged bool, securityOptsMap map[string]string) ([
 	return opts, nil
 }
 
+// WithSelinuxLabels sets the mount and process labels
+func WithSelinuxLabel(process, mount string) oci.SpecOpts {
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+		if s.Linux == nil {
+			s.Linux = &specs.Linux{}
+		}
+		if s.Process == nil {
+			s.Process = &specs.Process{}
+		}
+		s.Linux.MountLabel = mount
+		s.Process.SelinuxLabel = process
+		return nil
+	}
+}
+
 func canonicalizeCapName(s string) string {
 	if s == "" {
 		return ""
diff --git a/pkg/cmd/system/info.go b/pkg/cmd/system/info.go
@@ -69,7 +69,7 @@ func Info(ctx context.Context, client *containerd.Client, options types.SystemIn
 			return err
 		}
 	case "dockercompat":
-		infoCompat, err = infoutil.Info(ctx, client, options.GOptions.Snapshotter, options.GOptions.CgroupManager)
+		infoCompat, err = infoutil.Info(ctx, client, options.GOptions.Snapshotter, options.GOptions.CgroupManager, options.GOptions.SelinuxEnabled)
 		if err != nil {
 			return err
 		}
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -47,6 +47,7 @@ type Config struct {
 	DNSOpts          []string `toml:"dns_opts,omitempty"`
 	DNSSearch        []string `toml:"dns_search,omitempty"`
 	DisableHCSystemd bool     `toml:"disable_hc_systemd"`
+	SelinuxEnabled   bool     `toml:"selinux_enabled"`
 }
 
 // New creates a default Config object statically,
@@ -63,6 +64,7 @@ func New() *Config {
 		DataRoot:         ncdefaults.DataRoot(),
 		CgroupManager:    ncdefaults.CgroupManager(),
 		InsecureRegistry: false,
+		SelinuxEnabled:   false,
 		HostsDir:         ncdefaults.HostsDirs(),
 		Experimental:     true,
 		HostGatewayIP:    ncdefaults.HostGatewayIP(),
diff --git a/pkg/infoutil/infoutil.go b/pkg/infoutil/infoutil.go
@@ -62,7 +62,7 @@ func NativeDaemonInfo(ctx context.Context, client *containerd.Client) (*native.D
 	return daemonInfo, nil
 }
 
-func Info(ctx context.Context, client *containerd.Client, snapshotter, cgroupManager string) (*dockercompat.Info, error) {
+func Info(ctx context.Context, client *containerd.Client, snapshotter, cgroupManager string, selinuxEnabled bool) (*dockercompat.Info, error) {
 	daemonVersion, err := client.Version(ctx)
 	if err != nil {
 		return nil, err
@@ -95,7 +95,7 @@ func Info(ctx context.Context, client *containerd.Client, snapshotter, cgroupMan
 		return nil, err
 	}
 	info.ServerVersion = daemonVersion.Version
-	fulfillPlatformInfo(&info)
+	fulfillPlatformInfo(&info, selinuxEnabled)
 	return &info, nil
 }
 
diff --git a/pkg/infoutil/infoutil_darwin.go b/pkg/infoutil/infoutil_darwin.go
@@ -28,7 +28,7 @@ func CgroupsVersion() string {
 	return ""
 }
 
-func fulfillPlatformInfo(info *dockercompat.Info) {
+func fulfillPlatformInfo(info *dockercompat.Info, selinuxEnabled bool) {
 	// unimplemented
 }
 
diff --git a/pkg/infoutil/infoutil_freebsd.go b/pkg/infoutil/infoutil_freebsd.go
@@ -28,7 +28,7 @@ func CgroupsVersion() string {
 	return ""
 }
 
-func fulfillPlatformInfo(info *dockercompat.Info) {
+func fulfillPlatformInfo(info *dockercompat.Info, selinuxEnabled bool) {
 	// unimplemented
 }
 
diff --git a/pkg/infoutil/infoutil_linux.go b/pkg/infoutil/infoutil_linux.go
@@ -42,7 +42,7 @@ func CgroupsVersion() string {
 	return "1"
 }
 
-func fulfillSecurityOptions(info *dockercompat.Info) {
+func fulfillSecurityOptions(info *dockercompat.Info, selinuxEnabled bool) {
 	if apparmorutil.CanApplyExistingProfile() {
 		info.SecurityOptions = append(info.SecurityOptions, "name=apparmor")
 		if rootlessutil.IsRootless() && !apparmorutil.CanApplySpecificExistingProfile(defaults.AppArmorProfileName) {
@@ -52,6 +52,9 @@ WARNING: AppArmor profile %q is not loaded.
          This warning is negligible if you do not intend to use AppArmor.`), defaults.AppArmorProfileName))
 		}
 	}
+	if selinuxEnabled {
+		info.SecurityOptions = append(info.SecurityOptions, "name=selinux")
+	}
 	info.SecurityOptions = append(info.SecurityOptions, "name=seccomp,profile="+defaults.SeccompProfileName)
 	if defaults.CgroupnsMode() == "private" {
 		info.SecurityOptions = append(info.SecurityOptions, "name=cgroupns")
@@ -65,8 +68,8 @@ WARNING: AppArmor profile %q is not loaded.
 //
 // fulfillPlatformInfo requires the following fields to be set:
 // SecurityOptions, CgroupDriver, CgroupVersion
-func fulfillPlatformInfo(info *dockercompat.Info) {
-	fulfillSecurityOptions(info)
+func fulfillPlatformInfo(info *dockercompat.Info, selinuxEnabled bool) {
+	fulfillSecurityOptions(info, selinuxEnabled)
 	mobySysInfo := mobySysInfo(info)
 
 	if info.CgroupDriver == "none" {
diff --git a/pkg/infoutil/infoutil_windows.go b/pkg/infoutil/infoutil_windows.go
@@ -194,7 +194,7 @@ func CgroupsVersion() string {
 	return ""
 }
 
-func fulfillPlatformInfo(info *dockercompat.Info) {
+func fulfillPlatformInfo(info *dockercompat.Info, selinuxEnabled bool) {
 	mobySysInfo := mobySysInfo(info)
 
 	// NOTE: cgroup fields are not available on Windows
diff --git a/pkg/mountutil/mountutil_linux.go b/pkg/mountutil/mountutil_linux.go
diff --git a/pkg/testutil/nerdtest/requirements.go b/pkg/testutil/nerdtest/requirements.go

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func setPlatformOptions(ctx context.Context, client *containerd.Client, id, uts`
`71`	`71`	`}`
`72`	`72`	`opts = append(opts, capOpts...)`
`73`	`73`	`securityOptsMaps := strutil.ConvertKVStringsToMap(strutil.DedupeStrSlice(options.SecurityOpt))`
`74`		`- secOpts, err := generateSecurityOpts(options.Privileged, securityOptsMaps)`
	`74`	`+ secOpts, err := generateSecurityOpts(options.Privileged, options.GOptions.SelinuxEnabled, securityOptsMaps)`
`75`	`75`	`if err != nil {`
`76`	`76`	`return nil, err`
`77`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ func Info(ctx context.Context, client *containerd.Client, options types.SystemIn`
`69`	`69`	`return err`
`70`	`70`	`}`
`71`	`71`	`case "dockercompat":`
`72`		`- infoCompat, err = infoutil.Info(ctx, client, options.GOptions.Snapshotter, options.GOptions.CgroupManager)`
	`72`	`+ infoCompat, err = infoutil.Info(ctx, client, options.GOptions.Snapshotter, options.GOptions.CgroupManager, options.GOptions.SelinuxEnabled)`
`73`	`73`	`if err != nil {`
`74`	`74`	`return err`
`75`	`75`	`}`