In certain cases, setting the process label will not happen.

When the code attempts to set the ProcessLabel, it checks if SELinux Is
enabled.  We have seen a case with some of our patches where the code
is fooled by the container to think that SELinux is not enabled.  Calling
label.Init before setting up the rest of the container, tells the library that
SELinux is enabled and everything works fine.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)

pkg/label/label.go

@@ -21,3 +21,6 @@ func SetFileLabel(path string, fileLabel string) error {
 func GetPidCon(pid int) (string, error) {
 	return "", nil
 }
+
+func Init() {
+}

pkg/label/label_selinux.go

@@ -67,3 +67,7 @@ func SetFileLabel(path string, fileLabel string) error {
 func GetPidCon(pid int) (string, error) {
 	return selinux.Getpidcon(pid)
 }
+
+func Init() {
+	selinux.SelinuxEnabled()
+}

pkg/libcontainer/nsinit/init.go

@@ -58,6 +58,8 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 	if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil {
 		return fmt.Errorf("parent death signal %s", err)
 	}
+
+	label.Init()
 	ns.logger.Println("setup mount namespace")
 	if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil {
 		return fmt.Errorf("setup mount namespace %s", err)