f71121b1fa
When the code attempts to set the ProcessLabel, it checks if SELinux Is enabled. We have seen a case with some of our patches where the code is fooled by the container to think that SELinux is not enabled. Calling label.Init before setting up the rest of the container, tells the library that SELinux is enabled and everything works fine. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
73 lines
1.5 KiB
Go
73 lines
1.5 KiB
Go
// +build selinux,linux
|
|
|
|
package label
|
|
|
|
import (
|
|
"fmt"
|
|
"github.com/dotcloud/docker/pkg/selinux"
|
|
"strings"
|
|
)
|
|
|
|
func GenLabels(options string) (string, string, error) {
|
|
processLabel, mountLabel := selinux.GetLxcContexts()
|
|
var err error
|
|
if processLabel == "" { // SELinux is disabled
|
|
return "", "", err
|
|
}
|
|
s := strings.Fields(options)
|
|
l := len(s)
|
|
if l > 0 {
|
|
pcon := selinux.NewContext(processLabel)
|
|
for i := 0; i < l; i++ {
|
|
o := strings.Split(s[i], "=")
|
|
pcon[o[0]] = o[1]
|
|
}
|
|
processLabel = pcon.Get()
|
|
mountLabel, err = selinux.CopyLevel(processLabel, mountLabel)
|
|
}
|
|
return processLabel, mountLabel, err
|
|
}
|
|
|
|
func FormatMountLabel(src string, MountLabel string) string {
|
|
var mountLabel string
|
|
if src != "" {
|
|
mountLabel = src
|
|
if MountLabel != "" {
|
|
mountLabel = fmt.Sprintf("%s,context=\"%s\"", mountLabel, MountLabel)
|
|
}
|
|
} else {
|
|
if MountLabel != "" {
|
|
mountLabel = fmt.Sprintf("context=\"%s\"", MountLabel)
|
|
}
|
|
}
|
|
return mountLabel
|
|
}
|
|
|
|
func SetProcessLabel(processLabel string) error {
|
|
if selinux.SelinuxEnabled() {
|
|
return selinux.Setexeccon(processLabel)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func GetProcessLabel() (string, error) {
|
|
if selinux.SelinuxEnabled() {
|
|
return selinux.Getexeccon()
|
|
}
|
|
return "", nil
|
|
}
|
|
|
|
func SetFileLabel(path string, fileLabel string) error {
|
|
if selinux.SelinuxEnabled() && fileLabel != "" {
|
|
return selinux.Setfilecon(path, fileLabel)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func GetPidCon(pid int) (string, error) {
|
|
return selinux.Getpidcon(pid)
|
|
}
|
|
|
|
func Init() {
|
|
selinux.SelinuxEnabled()
|
|
}
|