Can't use SELinux separation when sharing the host pid/ipc namespace

SELinux will cause breakage when sharing these namespaces.  For example it
will block processes inside of the container from looking at the hosts /proc
in hosts Pid Namespace.  It will also block all access to semaphores and
shared memory defined outside of the pod.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Dan Walsh 2016-10-07 07:24:49 -04:00
parent fbcd609644
commit cd12a4acfe

View file

@ -166,10 +166,13 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
return nil, err return nil, err
} }
// Don't use SELinux separation with Host Pid or IPC Namespace,
if !req.GetConfig().GetLinux().GetNamespaceOptions().GetHostPid() && !req.GetConfig().GetLinux().GetNamespaceOptions().GetHostIpc() {
processLabel, mountLabel, err = getSELinuxLabels(nil) processLabel, mountLabel, err = getSELinuxLabels(nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
}
containerID, containerName, err := s.generateContainerIDandName(name, "infra", 0) containerID, containerName, err := s.generateContainerIDandName(name, "infra", 0)
g.AddAnnotation("ocid/labels", string(labelsJSON)) g.AddAnnotation("ocid/labels", string(labelsJSON))