Ensure that selinux is disabled by default

This also includes some portability changes so that the package can be
imported with the top level runtime.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

daemonconfig/config.go

@@ -28,6 +28,7 @@ type Config struct {
 	ExecDriver                  string
 	Mtu                         int
 	DisableNetwork              bool
+	EnableSelinuxSupport        bool
 }
 
 // ConfigFromJob creates and returns a new DaemonConfig object
@@ -45,6 +46,7 @@ func ConfigFromJob(job *engine.Job) *Config {
 		InterContainerCommunication: job.GetenvBool("InterContainerCommunication"),
 		GraphDriver:                 job.Getenv("GraphDriver"),
 		ExecDriver:                  job.Getenv("ExecDriver"),
+		EnableSelinuxSupport:        false, // FIXME: hardcoded default to disable selinux for .10 release
 	}
 	if dns := job.GetenvList("Dns"); dns != nil {
 		config.Dns = dns

pkg/selinux/selinux.go

@@ -39,6 +39,11 @@ var (
 
 type SELinuxContext map[string]string
 
+// SetDisabled disables selinux support for the package
+func SetDisabled() {
+	selinuxEnabled, selinuxEnabledChecked = false, true
+}
+
 func GetSelinuxMountPoint() string {
 	if selinuxfs != "unknown" {
 		return selinuxfs
@@ -140,15 +145,6 @@ func Setfilecon(path string, scon string) error {
 	return system.Lsetxattr(path, xattrNameSelinux, []byte(scon), 0)
 }
 
-func Getfilecon(path string) (string, error) {
-	var scon []byte
-
-	cnt, err := syscall.Getxattr(path, xattrNameSelinux, scon)
-	scon = make([]byte, cnt)
-	cnt, err = syscall.Getxattr(path, xattrNameSelinux, scon)
-	return string(scon), err
-}
-
 func Setfscreatecon(scon string) error {
 	return writeCon("/proc/self/attr/fscreate", scon)
 }
@@ -188,7 +184,7 @@ func writeCon(name string, val string) error {
 }
 
 func Setexeccon(scon string) error {
-	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), scon)
+	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", system.Gettid()), scon)
 }
 
 func (c SELinuxContext) Get() string {

pkg/selinux/selinux_test.go

@@ -12,9 +12,7 @@ func testSetfilecon(t *testing.T) {
 		out, _ := os.OpenFile(tmp, os.O_WRONLY, 0)
 		out.Close()
 		err := selinux.Setfilecon(tmp, "system_u:object_r:bin_t:s0")
-		if err == nil {
-			t.Log(selinux.Getfilecon(tmp))
-		} else {
+		if err != nil {
 			t.Log("Setfilecon failed")
 			t.Fatal(err)
 		}
@@ -41,7 +39,6 @@ func TestSELinux(t *testing.T) {
 		pid := os.Getpid()
 		t.Log("PID:%d MCS:%s\n", pid, selinux.IntToMcs(pid, 1023))
 		t.Log(selinux.Getcon())
-		t.Log(selinux.Getfilecon("/etc/passwd"))
 		err = selinux.Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")
 		if err == nil {
 			t.Log(selinux.Getfscreatecon())

pkg/system/calls_linux.go

@@ -143,3 +143,7 @@ func SetCloneFlags(cmd *exec.Cmd, flag uintptr) {
 	}
 	cmd.SysProcAttr.Cloneflags = flag
 }
+
+func Gettid() int {
+	return syscall.Gettid()
+}

pkg/system/unsupported.go

@@ -13,3 +13,7 @@ func SetCloneFlags(cmd *exec.Cmd, flag uintptr) {
 func UsetCloseOnExec(fd uintptr) error {
 	return ErrNotSupportedPlatform
 }
+
+func Gettid() int {
+	return 0
+}

runtime/runtime.go

@@ -11,6 +11,7 @@ import (
 	"github.com/dotcloud/docker/image"
 	"github.com/dotcloud/docker/pkg/graphdb"
 	"github.com/dotcloud/docker/pkg/mount"
+	"github.com/dotcloud/docker/pkg/selinux"
 	"github.com/dotcloud/docker/pkg/sysinfo"
 	"github.com/dotcloud/docker/runconfig"
 	"github.com/dotcloud/docker/runtime/execdriver"
@@ -723,6 +724,9 @@ func NewRuntime(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, erro
 }
 
 func NewRuntimeFromDirectory(config *daemonconfig.Config, eng *engine.Engine) (*Runtime, error) {
+	if !config.EnableSelinuxSupport {
+		selinux.SetDisabled()
+	}
 
 	// Set the default driver
 	graphdriver.DefaultDriver = config.GraphDriver