feature: support selinux #4639

ningmingxiao · 2025-12-06T09:19:47Z

ping @AkihiroSuda

cmd/nerdctl/container/container_run_security_linux_test.go

pkg/config/config.go

cmd/nerdctl/container/container_run_security_linux_test.go

AkihiroSuda · 2025-12-08T03:58:35Z

cmd/nerdctl/container/container_run_security_linux_test.go

+	if err != nil {
+		output := strings.TrimSpace(string(stdout))
+		if strings.Contains(output, "container_t") {
+			t.Fatal(fmt.Errorf("expect label container_t but get %s", output))


The uniqueness of the MCS categories have to be checked too?

what do you think how to check? @AkihiroSuda

Just run multiple containers and check that the MCS categories are different

because nerdctl doesn't save selinux label into db, nerdctl is a brief process， so may have chance to have same MCS categories . may be I should refer container id to keep special.

what's the disadvantage if 2 containers have same MCS categories ?

or we should let containerd call label.InitLabels(labelOpts) instead of let nerdctl create it @AkihiroSuda

docs/command-reference.md

AkihiroSuda · 2025-12-11T06:10:48Z

docs/config.md

+selinux_enabled= true
 ```

 ## Properties


Needs to be updated

I don't understand what you meean ? about selinux_enabled= true @AkihiroSuda

pkg/testutil/nerdtest/requirements.go

cmd/nerdctl/container/container_run_security_linux_test.go

AkihiroSuda · 2025-12-11T06:14:35Z

cmd/nerdctl/container/container_run_security_linux_test.go

+		{
+			Description: "test run with selinux-enabled",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("--selinux-enabled", "run", "-d", "-v", fmt.Sprintf("/%s:/%s:Z", testContainer, testContainer), "--name", testContainer, "sleep", "infinity")


lower z should be tested too
https://docs.docker.com/engine/storage/bind-mounts/#configure-the-selinux-label

The z option indicates that the bind mount content is shared among multiple containers.
The Z option indicates that the bind mount content is private and unshared.

This should be verified by launching multiple containers

pkg/mountutil/mountutil_linux.go

AkihiroSuda · 2025-12-22T09:50:59Z

Needs rebase

ningmingxiao · 2025-12-22T11:02:38Z

Needs rebase

done

Signed-off-by: ningmingxiao <[email protected]>

ningmingxiao · 2025-12-25T02:07:41Z

do we need add a new api in containerd to manage selinuxlabel ? because " label.InitLabels(labelOptions)" should run on server to keep unique @AkihiroSuda

ningmingxiao force-pushed the selinux_support branch 7 times, most recently from d69b7e0 to 2eaa687 Compare December 6, 2025 15:21

ningmingxiao changed the title ~~feature:support selinux use --security-opt label=xxx~~ feature:support selinux Dec 6, 2025

ningmingxiao changed the title ~~feature:support selinux~~ feature: support selinux Dec 6, 2025

ningmingxiao force-pushed the selinux_support branch from 2eaa687 to 1e356d6 Compare December 6, 2025 15:29

This was referenced Dec 6, 2025

Support SELinux: --security-opt label #4608

Open

Support nerdctl run --security-opt=XXX #11

Open

ningmingxiao force-pushed the selinux_support branch from 1e356d6 to 56a8926 Compare December 7, 2025 02:15