feature: support selinux by ningmingxiao · Pull Request #4639 · containerd/nerdctl

ningmingxiao · 2025-12-06T09:19:47Z

AkihiroSuda · 2025-12-08T03:58:35Z

+	if err != nil {
+		output := strings.TrimSpace(string(stdout))
+		if strings.Contains(output, "container_t") {
+			t.Fatal(fmt.Errorf("expect label container_t but get %s", output))


The uniqueness of the MCS categories have to be checked too?

what do you think how to check? @AkihiroSuda

Just run multiple containers and check that the MCS categories are different

because nerdctl doesn't save selinux label into db, nerdctl is a brief process， so may have chance to have same MCS categories . may be I should refer container id to keep special.

what's the disadvantage if 2 containers have same MCS categories ?

or we should let containerd call label.InitLabels(labelOpts) instead of let nerdctl create it @AkihiroSuda

AkihiroSuda · 2025-12-11T06:14:35Z

+		{
+			Description: "test run with selinux-enabled",
+			Command: func(data test.Data, helpers test.Helpers) test.TestableCommand {
+				return helpers.Command("--selinux-enabled", "run", "-d", "-v", fmt.Sprintf("/%s:/%s:Z", testContainer, testContainer), "--name", testContainer, "sleep", "infinity")


lower z should be tested too
https://docs.docker.com/engine/storage/bind-mounts/#configure-the-selinux-label

The z option indicates that the bind mount content is shared among multiple containers.
The Z option indicates that the bind mount content is private and unshared.

This should be verified by launching multiple containers

AkihiroSuda · 2025-12-22T09:50:59Z

Needs rebase

ningmingxiao · 2025-12-22T11:02:38Z

Needs rebase

done

ningmingxiao · 2025-12-25T02:07:41Z

do we need add a new api in containerd to manage selinuxlabel ? because " label.InitLabels(labelOptions)" should run on server to keep unique @AkihiroSuda

ChengyuZhu6

@ningmingxiao I’ve left a few comments; please take a look.

ChengyuZhu6 · 2026-01-21T02:45:06Z

+		},
+	}
+}
+func TestRunSelinux(t *testing.T) {


ChengyuZhu6 · 2026-01-21T02:54:21Z

missing selinux_enabled from Properties table.

ningmingxiao · 2026-01-21T08:33:38Z

ok I will fix it later I'm fixing selinux name conflict. @ChengyuZhu6

AkihiroSuda · 2026-03-05T14:36:39Z

What's the current status?

We will release v2.3 next month, and would like to include this PR if possible

ningmingxiao · 2026-03-12T13:49:44Z

I will try to fix it this week @AkihiroSuda

AkihiroSuda · 2026-04-05T22:22:15Z

Needs rebase

ChengyuZhu6

@ningmingxiao Overall it looks good. Left some comments.

sathiraumesh · 2026-04-11T12:19:25Z

+			},
+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					ExitCode: 0,


can use expect.ExitCodeSuccess

sathiraumesh · 2026-04-11T12:19:53Z

+			Expected: func(data test.Data, helpers test.Helpers) *test.Expected {
+				return &test.Expected{
+					ExitCode: 0,
+					Output: expect.All(


same here can use expect.ExitCodeSuccess

AkihiroSuda · 2026-04-20T15:03:30Z

ping @ningmingxiao

Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>

ningmingxiao · 2026-04-21T02:26:34Z

done @AkihiroSuda

ningmingxiao force-pushed the selinux_support branch 7 times, most recently from d69b7e0 to 2eaa687 Compare December 6, 2025 15:21

ningmingxiao changed the title ~~feature:support selinux use --security-opt label=xxx~~ feature:support selinux Dec 6, 2025

ningmingxiao changed the title ~~feature:support selinux~~ feature: support selinux Dec 6, 2025

ningmingxiao force-pushed the selinux_support branch from 2eaa687 to 1e356d6 Compare December 6, 2025 15:29

This was referenced Dec 6, 2025

Support SELinux: --security-opt label #4608

Open

Support nerdctl run --security-opt=XXX #11

Open

ningmingxiao force-pushed the selinux_support branch from 1e356d6 to 56a8926 Compare December 7, 2025 02:15