From cd12a4acfe0aad097aef48a9858a2fd754650732 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 7 Oct 2016 07:24:49 -0400 Subject: [PATCH] Can't use SELinux separation when sharing the host pid/ipc namespace SELinux will cause breakage when sharing these namespaces. For example it will block processes inside of the container from looking at the hosts /proc in hosts Pid Namespace. It will also block all access to semaphores and shared memory defined outside of the pod. Signed-off-by: Dan Walsh --- server/sandbox.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/server/sandbox.go b/server/sandbox.go index 340c4e8d..26602670 100644 --- a/server/sandbox.go +++ b/server/sandbox.go @@ -166,9 +166,12 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, err } - processLabel, mountLabel, err = getSELinuxLabels(nil) - if err != nil { - return nil, err + // Don't use SELinux separation with Host Pid or IPC Namespace, + if !req.GetConfig().GetLinux().GetNamespaceOptions().GetHostPid() && !req.GetConfig().GetLinux().GetNamespaceOptions().GetHostIpc() { + processLabel, mountLabel, err = getSELinuxLabels(nil) + if err != nil { + return nil, err + } } containerID, containerName, err := s.generateContainerIDandName(name, "infra", 0)