New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set selinux label on local volumes from mounts API #34684

Merged
merged 1 commit into from Sep 19, 2017

Conversation

@cpuguy83
Contributor

cpuguy83 commented Aug 30, 2017

When using a volume via the Binds API, a shared selinux label is
automatically set.
The Mounts API is not setting this, which makes volumes specified via
the mounts API useless when selinux is enabled.

This fix adopts the same selinux label for volumes on the mounts API as on
binds.
Note in the case of both the Binds API and the Mounts API, the
selinux label is only applied when the volume driver is the local
driver.

@@ -334,6 +334,11 @@ func (v *localVolume) Path() string {
return v.path
}
// CachedPath returns the data location
func (v *localVolume) CachedPath() string {

This comment has been minimized.

@vieux

vieux Aug 30, 2017

Collaborator

where is this used ?

@vieux

vieux Aug 30, 2017

Collaborator

where is this used ?

This comment has been minimized.

@cpuguy83

cpuguy83 Aug 30, 2017

Contributor

Just above setBindModeIfNull. The path must be set otherwise relabeling will fail.

@cpuguy83

cpuguy83 Aug 30, 2017

Contributor

Just above setBindModeIfNull. The path must be set otherwise relabeling will fail.

@tonistiigi

LGTM

@andrewhsu

This comment has been minimized.

Show comment
Hide comment
@andrewhsu

andrewhsu Sep 1, 2017

Contributor

@cpuguy83 can you rebase to get the fix for the stuff that is failing in the build jobs at the moment?

Contributor

andrewhsu commented Sep 1, 2017

@cpuguy83 can you rebase to get the fix for the stuff that is failing in the build jobs at the moment?

@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Sep 1, 2017

Contributor

rebased

Contributor

cpuguy83 commented Sep 1, 2017

rebased

@vdemeester

LGTM 🐸
@cpuguy83 needs a rebase

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Sep 19, 2017

Member

ping @cpuguy83 could you rebase this one?

Member

thaJeztah commented Sep 19, 2017

ping @cpuguy83 could you rebase this one?

Set selinux label on local volumes from mounts API
When using a volume via the `Binds` API, a shared selinux label is
automatically set.
The `Mounts` API is not setting this, which makes volumes specified via
the mounts API useless when selinux is enabled.

This fix adopts the same selinux label for volumes on the mounts API as on
binds.
Note in the case of both the `Binds` API and the `Mounts` API, the
selinux label is only applied when the volume driver is the `local`
driver.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Sep 19, 2017

Contributor

Rebased

Contributor

cpuguy83 commented Sep 19, 2017

Rebased

@vieux

This comment has been minimized.

Show comment
Hide comment
@vieux

vieux Sep 19, 2017

Collaborator

LGTM

Collaborator

vieux commented Sep 19, 2017

LGTM

@cpuguy83 cpuguy83 merged commit 3ddced5 into moby:master Sep 19, 2017

5 of 6 checks passed

z Jenkins build Docker-PRs-s390x 5779 has failed
Details
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 36931 has succeeded
Details
janky Jenkins build Docker-PRs 45594 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 5978 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 17177 has succeeded
Details

@cpuguy83 cpuguy83 deleted the cpuguy83:fix_selinux_with_mount_api branch Sep 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment