Documentation for :Z ignores pod case

[tangentsoft]

Issue Description

The documentation for the :Z mount flag claims, "Only the current container can use a private volume," but that ignores the pod case.

Steps to reproduce the issue

Here's a simple two-terminal test proving the documentation partially accurate:

term1$ mkdir -p ~/tmp/individual
term1$ podman run --rm -it -v ~/tmp/individual:/tmp:Z alpine
/ # echo term1 > /tmp/test
term2$ podman run --rm -it -v ~/tmp/individual:/tmp:Z alpine
/ # echo term2 >> /tmp/test
/bin/sh: can't create /tmp/test: Permission denied

But, if you create them both under the same pod so that they share the volume:

term1$ mkdir -p ~/tmp/podmates
term1$ podman pod create -v ~/tmp/podmates:/tmp:Z foo
term1$ podman run --rm -it --pod foo alpine
/ # echo 'hello from term1' > /tmp/test
term2$ podman run --rm -it --pod foo alpine
/ # echo 'hello from term2' >> /tmp/test
term3$ cat ~/tmp/podmates/test
hello from term1
hello from term2
term3$ stat ~/tmp/podmates
…Context: system_u:object_r:container_file_t:s0:c171,c253…

Thus, although this bind-mounted directory got an unshared SELinux label due to the :Z flag on the pod's --volume option, both containers were able to write a file into it.

This is an important feature worth documenting, both for its own sake and to avoid inadvertently breaking it in the future. If it did not behave this way, I would instead be here advocating for a third mount flag to give this behavior. (I was fully prepared to propose ℤ. 🤓)

Describe the results you received

Permission denied error with wholly separate containers, but no error with containers sharing a pod.

Describe the results you expected

It does work as expected, today. This merely needs to be documented and protected from inadvertently changing in the future by a regression test.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.7
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: 574ce145d4fde456322f648afc2cb9dc2141ee16'
  cpuUtilization:
    idlePercent: 99.8
    systemPercent: 0.04
    userPercent: 0.16
  cpus: 10
  databaseBackend: boltdb
  distribution:
    distribution: almalinux
    version: "9.4"
  eventLogger: journald
  freeLocks: 2039
  hostname: carmine
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.0-427.22.1.el9_4.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 749793280
  memTotal: 3829465088
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-3.el9_4.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-1.el9.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.14.3-1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.3
      commit: 1961d211ba98f532ea52d2e80f4c20359f241a98
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.3-1.el9.x86_64
    version: |-
      slirp4netns version 1.2.3
      commit: c22fde291bb35b354e6ca44d13be181c76a0a432
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 4173066240
  swapTotal: 4294963200
  uptime: 188h 34m 27.00s (Approximately 7.83 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /home/tangent/.config/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 4
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/tangent/.local/share/containers/storage
  graphRootAllocated: 63762120704
  graphRootUsed: 62004649984
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 3943
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/tangent/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.4-rhel
  Built: 1720519277
  BuiltTime: Tue Jul  9 04:01:17 2024
  GitCommit: ""
  GoVersion: go1.21.11 (Red Hat 1.21.11-1.el9_4)
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.4-rhel

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

Containers in a pod use all the same label so they are the same "container" from the selinux POV.

d0f3c17

[rhatdan]

Correct.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.