vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

Initial work on selinux patch

Browse source 
This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-04-17 23:47:27 +00:00
parent f6024af3e8
commit 48d893cc6b
2 changed files with 6 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
label/label_selinux.go
View file

@ -32,13 +32,13 @@ func GenLabels(options string) (string, string, error) {
return processLabel, mountLabel, err return processLabel, mountLabel, err
} }
func FormatMountLabel(src string, mountLabel string) string { func FormatMountLabel(src, mountLabel string) string {
if selinux.SelinuxEnabled() && mountLabel != "" { if mountLabel != "" {
switch src { switch src {
case "": case "":
src = fmt.Sprintf("%s,context=%s", src, mountLabel) src = fmt.Sprintf("context=%q", mountLabel)
default: default:
src = fmt.Sprintf("context=%s", mountLabel) src = fmt.Sprintf("%s,context=%q", src, mountLabel)
} }
} }
return src return src

3
libcontainer/nsinit/init.go
View file

@ -75,8 +75,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
} }
} }
runtime.LockOSThread() runtime.LockOSThread()
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil { if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
return fmt.Errorf("SetProcessLabel label %s", err) return fmt.Errorf("set process label %s", err)
} }
ns.logger.Printf("execing %s\n", args[0]) ns.logger.Printf("execing %s\n", args[0])
return system.Execv(args[0], args[0:], container.Env) return system.Execv(args[0], args[0:], container.Env)