Remove hard coding of SELinux labels on systems without proper selinux policy.
If a system is configured for SELinux but does not know about docker or containers, then we want the transitions of the policy to work. Hard coding the labels causes docker to break on older Fedora and RHEL systems Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This commit is contained in:
parent
74349e02c6
commit
c250bdad25
1 changed files with 7 additions and 5 deletions
|
@ -312,13 +312,10 @@ func GetLxcContexts() (processLabel string, fileLabel string) {
|
||||||
if !SelinuxEnabled() {
|
if !SelinuxEnabled() {
|
||||||
return "", ""
|
return "", ""
|
||||||
}
|
}
|
||||||
lxcPath := fmt.Sprintf("%s/content/lxc_contexts", GetSELinuxPolicyRoot())
|
lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", GetSELinuxPolicyRoot())
|
||||||
fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0"
|
|
||||||
processLabel = "system_u:system_r:svirt_lxc_net_t:s0"
|
|
||||||
|
|
||||||
in, err := os.Open(lxcPath)
|
in, err := os.Open(lxcPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
goto exit
|
return "", ""
|
||||||
}
|
}
|
||||||
defer in.Close()
|
defer in.Close()
|
||||||
|
|
||||||
|
@ -352,6 +349,11 @@ func GetLxcContexts() (processLabel string, fileLabel string) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if processLabel == "" || fileLabel == "" {
|
||||||
|
return "", ""
|
||||||
|
}
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
mcs := IntToMcs(os.Getpid(), 1024)
|
mcs := IntToMcs(os.Getpid(), 1024)
|
||||||
scon := NewContext(processLabel)
|
scon := NewContext(processLabel)
|
||||||
|
|
Loading…
Reference in a new issue