Set SELinux mount label for pod sandbox
The pause container is creating an AVC since the /dev/null device is not labeled correctly. Looks like we are only setting the label of the process not the label of the content inside of the container. This change will label content in the pause container correctly and eliminate the AVC. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
bf6c4141c1
commit
ff950a8e37
1 changed files with 1 additions and 0 deletions
|
@ -201,6 +201,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
g.SetProcessSelinuxLabel(processLabel)
|
g.SetProcessSelinuxLabel(processLabel)
|
||||||
|
g.SetLinuxMountLabel(mountLabel)
|
||||||
}
|
}
|
||||||
|
|
||||||
// create shm mount for the pod containers.
|
// create shm mount for the pod containers.
|
||||||
|
|
Loading…
Reference in a new issue