From aa949afbd17a2b4848c11e3cb79b2eafd72e43ce Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 1 Apr 2019 10:12:49 -0400
Subject: [PATCH] Ignore attempts to setLabels "" on SELinux disabled systems

Some users of go-selinux attempt to set the SELinux label to ""
even on SELinux disabled systems. This can cause these apps to blow
up (runc).  Rather then complicated these tools API, we can just ignore
the attempts to set "" labels.

If the caller attempts to set a label != "", then we should continue to
attempt and fail appropriately.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 go-selinux/selinux_linux.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
index 1f50440..51fa8de 100644
--- a/go-selinux/selinux_linux.go
+++ b/go-selinux/selinux_linux.go
@@ -333,6 +333,11 @@ func writeCon(fpath string, val string) error {
 	if fpath == "" {
 		return ErrEmptyPath
 	}
+	if val == "" {
+		if !GetEnabled() {
+			return nil
+		}
+	}
 
 	out, err := os.OpenFile(fpath, os.O_WRONLY, 0)
 	if err != nil {