In certain cases, setting the process label will not happen.
When the code attempts to set the ProcessLabel, it checks if SELinux Is enabled. We have seen a case with some of our patches where the code is fooled by the container to think that SELinux is not enabled. Calling label.Init before setting up the rest of the container, tells the library that SELinux is enabled and everything works fine. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This commit is contained in:
parent
cecd7a37bf
commit
f71121b1fa
3 changed files with 9 additions and 0 deletions
|
@ -21,3 +21,6 @@ func SetFileLabel(path string, fileLabel string) error {
|
||||||
func GetPidCon(pid int) (string, error) {
|
func GetPidCon(pid int) (string, error) {
|
||||||
return "", nil
|
return "", nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Init() {
|
||||||
|
}
|
||||||
|
|
|
@ -67,3 +67,7 @@ func SetFileLabel(path string, fileLabel string) error {
|
||||||
func GetPidCon(pid int) (string, error) {
|
func GetPidCon(pid int) (string, error) {
|
||||||
return selinux.Getpidcon(pid)
|
return selinux.Getpidcon(pid)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Init() {
|
||||||
|
selinux.SelinuxEnabled()
|
||||||
|
}
|
||||||
|
|
|
@ -58,6 +58,8 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
|
||||||
if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil {
|
if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil {
|
||||||
return fmt.Errorf("parent death signal %s", err)
|
return fmt.Errorf("parent death signal %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
label.Init()
|
||||||
ns.logger.Println("setup mount namespace")
|
ns.logger.Println("setup mount namespace")
|
||||||
if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil {
|
if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil {
|
||||||
return fmt.Errorf("setup mount namespace %s", err)
|
return fmt.Errorf("setup mount namespace %s", err)
|
||||||
|
|
Loading…
Reference in a new issue