From ff950a8e371d448616c6cd67a663cab04e7c4c10 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 15 Mar 2017 14:57:05 -0400 Subject: [PATCH] Set SELinux mount label for pod sandbox The pause container is creating an AVC since the /dev/null device is not labeled correctly. Looks like we are only setting the label of the process not the label of the content inside of the container. This change will label content in the pause container correctly and eliminate the AVC. Signed-off-by: Daniel J Walsh --- server/sandbox_run.go | 1 + 1 file changed, 1 insertion(+) diff --git a/server/sandbox_run.go b/server/sandbox_run.go index 234493f4..7c7d8c26 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -201,6 +201,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest return nil, err } g.SetProcessSelinuxLabel(processLabel) + g.SetLinuxMountLabel(mountLabel) } // create shm mount for the pod containers.