Skip to content

Commit a8dd44b

Browse files
pjbgfpjbgf
committed
Disable SELinux for profile and workloads
In order for qubesome to work in environments where SELinux is enabled and enforced the container execution needs to opt-out from SELinux. For profiles, it is likely that this will be reverse once we ship a qubesome-specific SELinux policy. For general workloads that is less likely. Signed-off-by: Paulo Gomes <pjbgf@linux.com>
1 parent 4ea9f5e commit a8dd44b

File tree

3 files changed

+4
-1
lines changed

3 files changed

+4
-1
lines changed

internal/profiles/profiles.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -557,7 +557,8 @@ func createNewDisplay(bin string, ca, cert, key []byte, profile *types.Profile,
557557
"-e", "Q_MTLS_CERT",
558558
"-e", "Q_MTLS_KEY",
559559
"--device", "/dev/dri",
560-
"--security-opt=no-new-privileges:true",
560+
"--security-opt=no-new-privileges=true",
561+
"--security-opt=label=disable",
561562
"--cap-drop=ALL",
562563
}
563564

internal/runners/docker/run.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ func Run(ew types.EffectiveWorkload) error {
6060
"--rm",
6161
"-d",
6262
"--security-opt=seccomp=unconfined",
63+
"--security-opt=label=disable",
6364
"--security-opt=no-new-privileges=true",
6465
}
6566

internal/runners/podman/run.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ func Run(ew types.EffectiveWorkload) error {
6161
"-d",
6262
"--security-opt=seccomp=unconfined",
6363
"--security-opt=no-new-privileges=true",
64+
"--security-opt=label=disable",
6465
"--group-add=keep-groups",
6566
}
6667

0 commit comments

Comments
 (0)