Skip to content

Commit

Permalink
Merge pull request #1627 from runcom/selinux-moar-fixes
Browse files Browse the repository at this point in the history 
sandbox,container: more selinux label fixes
  • Loading branch information
@rhatdan
rhatdan committed Jun 18, 2018
2 parents ace0093 + 6cf08a7 commit bd1dec3
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 6 deletions.
7 changes: 3 additions & 4 deletions server/container_create.go
View file
Expand Up @@ -136,7 +136,6 @@ func addOCIBindMounts(mountLabel string, containerConfig *pb.ContainerConfig, sp
}

if mount.SelinuxRelabel {
// Need a way in kubernetes to determine if the volume is shared or private
if err := label.Relabel(src, mountLabel, false); err != nil && err != unix.ENOTSUP {
return nil, nil, fmt.Errorf("relabel failed %s: %v", src, err)
}
Expand Down Expand Up @@ -1178,7 +1177,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
options = []string{"ro"}
}
if sb.ResolvPath() != "" {
if err := label.Relabel(sb.ResolvPath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
if err := label.Relabel(sb.ResolvPath(), mountLabel, false); err != nil && err != unix.ENOTSUP {
return nil, err
}

Expand All @@ -1193,7 +1192,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
}

if sb.HostnamePath() != "" {
if err := label.Relabel(sb.HostnamePath(), mountLabel, true); err != nil && err != unix.ENOTSUP {
if err := label.Relabel(sb.HostnamePath(), mountLabel, false); err != nil && err != unix.ENOTSUP {
return nil, err
}

Expand Down Expand Up @@ -1573,7 +1572,7 @@ func setupWorkingDirectory(rootfs, mountLabel, containerCwd string) error {
return err
}
if mountLabel != "" {
if err1 := label.Relabel(fp, mountLabel, true); err1 != nil && err1 != unix.ENOTSUP {
if err1 := label.Relabel(fp, mountLabel, false); err1 != nil && err1 != unix.ENOTSUP {
return fmt.Errorf("relabel failed %s: %v", fp, err1)
}
}
Expand Down
4 changes: 2 additions & 2 deletions server/sandbox_run.go
View file
Expand Up @@ -353,7 +353,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
}
return nil, err
}
if err := label.Relabel(resolvPath, mountLabel, true); err != nil && err != unix.ENOTSUP {
if err := label.Relabel(resolvPath, mountLabel, false); err != nil && err != unix.ENOTSUP {
return nil, err
}
mnt := runtimespec.Mount{
Expand Down Expand Up @@ -676,7 +676,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
if err := ioutil.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
return nil, err
}
if err := label.Relabel(hostnamePath, mountLabel, true); err != nil && err != unix.ENOTSUP {
if err := label.Relabel(hostnamePath, mountLabel, false); err != nil && err != unix.ENOTSUP {
return nil, err
}
mnt = runtimespec.Mount{
Expand Down

0 comments on commit bd1dec3

Please sign in to comment.