From f71121b1fa4018d967bcf3d01f4bdf05a42bfeff Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 1 Apr 2014 10:03:29 -0400 Subject: [PATCH] In certain cases, setting the process label will not happen. When the code attempts to set the ProcessLabel, it checks if SELinux Is enabled. We have seen a case with some of our patches where the code is fooled by the container to think that SELinux is not enabled. Calling label.Init before setting up the rest of the container, tells the library that SELinux is enabled and everything works fine. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) --- label/label.go | 3 +++ label/label_selinux.go | 4 ++++ libcontainer/nsinit/init.go | 2 ++ 3 files changed, 9 insertions(+) diff --git a/label/label.go b/label/label.go index ba1e9f4..be0d0ae 100644 --- a/label/label.go +++ b/label/label.go @@ -21,3 +21,6 @@ func SetFileLabel(path string, fileLabel string) error { func GetPidCon(pid int) (string, error) { return "", nil } + +func Init() { +} diff --git a/label/label_selinux.go b/label/label_selinux.go index 300a8b6..64a1720 100644 --- a/label/label_selinux.go +++ b/label/label_selinux.go @@ -67,3 +67,7 @@ func SetFileLabel(path string, fileLabel string) error { func GetPidCon(pid int) (string, error) { return selinux.Getpidcon(pid) } + +func Init() { + selinux.SelinuxEnabled() +} diff --git a/libcontainer/nsinit/init.go b/libcontainer/nsinit/init.go index 5aa5f9f..e5d69f5 100644 --- a/libcontainer/nsinit/init.go +++ b/libcontainer/nsinit/init.go @@ -58,6 +58,8 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil { return fmt.Errorf("parent death signal %s", err) } + + label.Init() ns.logger.Println("setup mount namespace") if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil { return fmt.Errorf("setup mount namespace %s", err)