From c250bdad25d2b2d522886c58e8b4293f295bc7b9 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 1 Apr 2014 09:24:24 -0400 Subject: [PATCH 1/3] Remove hard coding of SELinux labels on systems without proper selinux policy. If a system is configured for SELinux but does not know about docker or containers, then we want the transitions of the policy to work. Hard coding the labels causes docker to break on older Fedora and RHEL systems Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) --- selinux/selinux.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/selinux/selinux.go b/selinux/selinux.go index 5236d3f..5362308 100644 --- a/selinux/selinux.go +++ b/selinux/selinux.go @@ -312,13 +312,10 @@ func GetLxcContexts() (processLabel string, fileLabel string) { if !SelinuxEnabled() { return "", "" } - lxcPath := fmt.Sprintf("%s/content/lxc_contexts", GetSELinuxPolicyRoot()) - fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0" - processLabel = "system_u:system_r:svirt_lxc_net_t:s0" - + lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", GetSELinuxPolicyRoot()) in, err := os.Open(lxcPath) if err != nil { - goto exit + return "", "" } defer in.Close() @@ -352,6 +349,11 @@ func GetLxcContexts() (processLabel string, fileLabel string) { } } } + + if processLabel == "" || fileLabel == "" { + return "", "" + } + exit: mcs := IntToMcs(os.Getpid(), 1024) scon := NewContext(processLabel) From eab8c83391960b9c66fcdb8d1b895a1624ead338 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 1 Apr 2014 10:03:29 -0400 Subject: [PATCH 2/3] In certain cases, setting the process label will not happen. When the code attempts to set the ProcessLabel, it checks if SELinux Is enabled. We have seen a case with some of our patches where the code is fooled by the container to think that SELinux is not enabled. Calling label.Init before setting up the rest of the container, tells the library that SELinux is enabled and everything works fine. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) --- label/label.go | 3 +++ label/label_selinux.go | 4 ++++ libcontainer/nsinit/init.go | 2 ++ 3 files changed, 9 insertions(+) diff --git a/label/label.go b/label/label.go index ba1e9f4..be0d0ae 100644 --- a/label/label.go +++ b/label/label.go @@ -21,3 +21,6 @@ func SetFileLabel(path string, fileLabel string) error { func GetPidCon(pid int) (string, error) { return "", nil } + +func Init() { +} diff --git a/label/label_selinux.go b/label/label_selinux.go index 300a8b6..64a1720 100644 --- a/label/label_selinux.go +++ b/label/label_selinux.go @@ -67,3 +67,7 @@ func SetFileLabel(path string, fileLabel string) error { func GetPidCon(pid int) (string, error) { return selinux.Getpidcon(pid) } + +func Init() { + selinux.SelinuxEnabled() +} diff --git a/libcontainer/nsinit/init.go b/libcontainer/nsinit/init.go index 5aa5f9f..e5d69f5 100644 --- a/libcontainer/nsinit/init.go +++ b/libcontainer/nsinit/init.go @@ -58,6 +58,8 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil { return fmt.Errorf("parent death signal %s", err) } + + label.Init() ns.logger.Println("setup mount namespace") if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil { return fmt.Errorf("setup mount namespace %s", err) From de5d0ed9790c5c5a0091c07948408226dfe9a956 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Wed, 2 Apr 2014 16:52:49 +0000 Subject: [PATCH 3/3] Fix lxc label handleing This also improves the logic around formatting the labels for selinux Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) --- label/label.go | 2 +- label/label_selinux.go | 30 +++++++++++++++--------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/label/label.go b/label/label.go index be0d0ae..38f026b 100644 --- a/label/label.go +++ b/label/label.go @@ -6,7 +6,7 @@ func GenLabels(options string) (string, string, error) { return "", "", nil } -func FormatMountLabel(src string, MountLabel string) string { +func FormatMountLabel(src string, mountLabel string) string { return src } diff --git a/label/label_selinux.go b/label/label_selinux.go index 64a1720..d807b2b 100644 --- a/label/label_selinux.go +++ b/label/label_selinux.go @@ -10,12 +10,15 @@ import ( func GenLabels(options string) (string, string, error) { processLabel, mountLabel := selinux.GetLxcContexts() - var err error if processLabel == "" { // SELinux is disabled - return "", "", err + return "", "", nil } - s := strings.Fields(options) - l := len(s) + + var ( + err error + s = strings.Fields(options) + l = len(s) + ) if l > 0 { pcon := selinux.NewContext(processLabel) for i := 0; i < l; i++ { @@ -28,19 +31,16 @@ func GenLabels(options string) (string, string, error) { return processLabel, mountLabel, err } -func FormatMountLabel(src string, MountLabel string) string { - var mountLabel string - if src != "" { - mountLabel = src - if MountLabel != "" { - mountLabel = fmt.Sprintf("%s,context=\"%s\"", mountLabel, MountLabel) - } - } else { - if MountLabel != "" { - mountLabel = fmt.Sprintf("context=\"%s\"", MountLabel) +func FormatMountLabel(src string, mountLabel string) string { + if mountLabel != "" { + switch src { + case "": + src = fmt.Sprintf("%s,context=%s", src, mountLabel) + default: + src = fmt.Sprintf("context=%s", mountLabel) } } - return mountLabel + return src } func SetProcessLabel(processLabel string) error {