Set SELinux mount label for pod sandbox

The pause container is creating an AVC since the /dev/null device
is not labeled correctly.  Looks like we are only setting the label of
the process not the label of the content inside of the container.
This change will label content in the pause container correctly and
eliminate the AVC.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2017-03-15 14:57:05 -04:00
parent bf6c4141c1
commit ff950a8e37

View file

@ -201,6 +201,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
return nil, err return nil, err
} }
g.SetProcessSelinuxLabel(processLabel) g.SetProcessSelinuxLabel(processLabel)
g.SetLinuxMountLabel(mountLabel)
} }
// create shm mount for the pod containers. // create shm mount for the pod containers.