Merge pull request #17 from crawford/coreos-1.10.3

Rebase overlay+SELinux fixes onto 1.10.3

daemon/daemon_unix.go

@@ -467,10 +467,6 @@ func checkSystem() error {
 func configureKernelSecuritySupport(config *Config, driverName string) error {
 	if config.EnableSelinuxSupport {
 		if selinuxEnabled() {
-			// As Docker on overlayFS and SELinux are incompatible at present, error on overlayfs being enabled
-			if driverName == "overlay" {
-				return fmt.Errorf("SELinux is not supported with the %s graph driver", driverName)
-			}
 			logrus.Debug("SELinux enabled successfully")
 		} else {
 			logrus.Warn("Docker could not enable SELinux on the host system")

daemon/graphdriver/overlay/overlay.go

@@ -364,6 +364,16 @@ func (d *Driver) Get(id string, mountLabel string) (string, error) {
 	workDir := path.Join(dir, "work")
 	mergedDir := path.Join(dir, "merged")
 
+	if err = label.Relabel(upperDir, mountLabel, false); err != nil {
+		return "", fmt.Errorf("Error relabeling upper directory: %v", err)
+	}
+	if err = label.Relabel(workDir, mountLabel, false); err != nil {
+		return "", fmt.Errorf("Error relabeling work directory: %v", err)
+	}
+	if err = label.Relabel(mergedDir, mountLabel, false); err != nil {
+		return "", fmt.Errorf("Error relabeling merged directory: %v", err)
+	}
+
 	opts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerDir, upperDir, workDir)
 	if err := syscall.Mount("overlay", mergedDir, "overlay", 0, label.FormatMountLabel(opts, mountLabel)); err != nil {
 		return "", fmt.Errorf("error creating overlay mount to %s: %v", mergedDir, err)