Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
If caller specifies label overrides, don't override security options #30652
If a caller specifies an SELinux type or MCS Label and still wants to
Signed-off-by: Daniel J Walsh email@example.com
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)
referenced this pull request
Feb 24, 2017
I think we could rename it to generateSELinuxLabel, or duplicateSELinuxLabel.
BUT if the caller has specified an SELinux Label to use, docker should just use the label, figuring the caller knows what it wants.
This is important for POD situations, where you could potentially want to containers sharing content but running with different SELinux labels.
Imaging you have a daemon container, but you another container to the pod that you want to have limited access, it can not use the network, or it can look at the process but not examine any content. Bottom line it gives better flexibility to the caller of the docker-engine to specify the labels that it wants.