server: fix selinux labels for pod and containers

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-09-13 21:06:54 +02:00
parent daf34b9a31
commit e3682373d0
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
2 changed files with 23 additions and 12 deletions

View file

@ -45,7 +45,7 @@ const (
defaultSystemdParent = "system.slice" defaultSystemdParent = "system.slice"
) )
func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) { func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, specgen *generate.Generator) ([]oci.ContainerVolume, error) {
volumes := []oci.ContainerVolume{} volumes := []oci.ContainerVolume{}
mounts := containerConfig.GetMounts() mounts := containerConfig.GetMounts()
for _, mount := range mounts { for _, mount := range mounts {
@ -73,7 +73,7 @@ func addOCIBindMounts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig,
if mount.SelinuxRelabel { if mount.SelinuxRelabel {
// Need a way in kubernetes to determine if the volume is shared or private // Need a way in kubernetes to determine if the volume is shared or private
if err := label.Relabel(src, sb.MountLabel(), true); err != nil && err != unix.ENOTSUP { if err := label.Relabel(src, mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, fmt.Errorf("relabel failed %s: %v", src, err) return nil, fmt.Errorf("relabel failed %s: %v", src, err)
} }
} }
@ -519,7 +519,12 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
specgen.HostSpecific = true specgen.HostSpecific = true
specgen.ClearProcessRlimits() specgen.ClearProcessRlimits()
containerVolumes, err := addOCIBindMounts(sb, containerConfig, &specgen) processLabel, mountLabel, err := getSELinuxLabels(containerConfig.GetLinux().GetSecurityContext().GetSelinuxOptions())
if err != nil {
return nil, err
}
containerVolumes, err := addOCIBindMounts(mountLabel, containerConfig, &specgen)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -703,7 +708,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
} }
} }
specgen.SetProcessSelinuxLabel(sb.ProcessLabel()) specgen.SetProcessSelinuxLabel(processLabel)
} }
specgen.SetLinuxMountLabel(sb.MountLabel()) specgen.SetLinuxMountLabel(sb.MountLabel())
@ -818,15 +823,18 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
options = []string{"ro"} options = []string{"ro"}
} }
if sb.ResolvPath() != "" { if sb.ResolvPath() != "" {
// TODO: selinux if err := label.Relabel(sb.ResolvPath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
// label.Relabel(sb.ResolvPath(), container.MountLabel, shared) return nil, err
}
// bind mount the pod resolver file // bind mount the pod resolver file
specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options) specgen.AddBindMount(sb.ResolvPath(), "/etc/resolv.conf", options)
} }
if sb.HostnamePath() != "" { if sb.HostnamePath() != "" {
// TODO: selinux if err := label.Relabel(sb.HostnamePath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, err
}
specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options) specgen.AddBindMount(sb.HostnamePath(), "/etc/hostname", options)
} }
@ -884,7 +892,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
containerName, containerID, containerName, containerID,
metaname, metaname,
attempt, attempt,
sb.MountLabel(), mountLabel,
nil) nil)
if err != nil { if err != nil {
return nil, err return nil, err
@ -907,7 +915,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
} }
// Add image volumes // Add image volumes
if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, sb.MountLabel()); err != nil { if err := addImageVolumes(mountPoint, s, &containerInfo, &specgen, mountLabel); err != nil {
return nil, err return nil, err
} }

View file

@ -203,8 +203,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
} }
return nil, err return nil, err
} }
// TODO: selinux if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP {
// label.Relabel(sb.ResolvPath(), container.MountLabel, shared) return nil, err
}
g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"}) g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
} }
@ -464,7 +465,9 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil { if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
return nil, err return nil, err
} }
// TODO: selinux relabel if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP {
return nil, err
}
g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"}) g.AddBindMount(hostnamePath, "/etc/hostname", []string{"ro"})
g.AddAnnotation(annotations.HostnamePath, hostnamePath) g.AddAnnotation(annotations.HostnamePath, hostnamePath)
sb.AddHostnamePath(hostnamePath) sb.AddHostnamePath(hostnamePath)