Merge pull request #5002 from crosbymichael/rhatdan-selinux

Improve selinux label handling

daemonconfig/config.go

@@ -1,10 +1,9 @@
 package daemonconfig
 
 import (
-	"net"
-
 	"github.com/dotcloud/docker/engine"
 	"github.com/dotcloud/docker/runtime/networkdriver"
+	"net"
 )
 
 const (

pkg/label/label.go

@@ -6,7 +6,7 @@ func GenLabels(options string) (string, string, error) {
 	return "", "", nil
 }
 
-func FormatMountLabel(src string, MountLabel string) string {
+func FormatMountLabel(src string, mountLabel string) string {
 	return src
 }
 

pkg/label/label_selinux.go

@@ -10,12 +10,15 @@ import (
 
 func GenLabels(options string) (string, string, error) {
 	processLabel, mountLabel := selinux.GetLxcContexts()
-	var err error
 	if processLabel == "" { // SELinux is disabled
-		return "", "", err
+		return "", "", nil
 	}
-	s := strings.Fields(options)
-	l := len(s)
+
+	var (
+		err error
+		s   = strings.Fields(options)
+		l   = len(s)
+	)
 	if l > 0 {
 		pcon := selinux.NewContext(processLabel)
 		for i := 0; i < l; i++ {
@@ -28,19 +31,16 @@ func GenLabels(options string) (string, string, error) {
 	return processLabel, mountLabel, err
 }
 
-func FormatMountLabel(src string, MountLabel string) string {
-	var mountLabel string
-	if src != "" {
-		mountLabel = src
-		if MountLabel != "" {
-			mountLabel = fmt.Sprintf("%s,context=\"%s\"", mountLabel, MountLabel)
-		}
-	} else {
-		if MountLabel != "" {
-			mountLabel = fmt.Sprintf("context=\"%s\"", MountLabel)
+func FormatMountLabel(src string, mountLabel string) string {
+	if mountLabel != "" {
+		switch src {
+		case "":
+			src = fmt.Sprintf("%s,context=%s", src, mountLabel)
+		default:
+			src = fmt.Sprintf("context=%s", mountLabel)
 		}
 	}
-	return mountLabel
+	return src
 }
 
 func SetProcessLabel(processLabel string) error {

pkg/selinux/selinux.go

@@ -312,7 +312,7 @@ func GetLxcContexts() (processLabel string, fileLabel string) {
 	if !SelinuxEnabled() {
 		return "", ""
 	}
-	lxcPath := fmt.Sprintf("%s/content/lxc_contexts", GetSELinuxPolicyRoot())
+	lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", GetSELinuxPolicyRoot())
 	in, err := os.Open(lxcPath)
 	if err != nil {
 		return "", ""

runtime/execdriver/lxc/lxc_template.go

@@ -32,8 +32,8 @@ lxc.pts = 1024
 lxc.console = none
 {{if .ProcessLabel}}
 lxc.se_context = {{ .ProcessLabel}}
-{{$MOUNTLABEL := .MountLabel}}
 {{end}}
+{{$MOUNTLABEL := .MountLabel}}
 
 # no controlling tty at all
 lxc.tty = 1
@@ -94,8 +94,8 @@ lxc.mount.entry = sysfs {{escapeFstabSpaces $ROOTFS}}/sys sysfs nosuid,nodev,noe
 lxc.mount.entry = {{.Console}} {{escapeFstabSpaces $ROOTFS}}/dev/console none bind,rw 0 0
 {{end}}
 
-lxc.mount.entry = devpts {{escapeFstabSpaces $ROOTFS}}/dev/pts devpts {{formatMountLabel "newinstance,ptmxmode=0666,nosuid,noexec" "$MOUNTLABEL"}} 0 0
-lxc.mount.entry = shm {{escapeFstabSpaces $ROOTFS}}/dev/shm tmpfs {{formatMountLabel "size=65536k,nosuid,nodev,noexec" "$MOUNTLABEL"}} 0 0
+lxc.mount.entry = devpts {{escapeFstabSpaces $ROOTFS}}/dev/pts devpts {{formatMountLabel "newinstance,ptmxmode=0666,nosuid,noexec" $MOUNTLABEL}} 0 0
+lxc.mount.entry = shm {{escapeFstabSpaces $ROOTFS}}/dev/shm tmpfs {{formatMountLabel "size=65536k,nosuid,nodev,noexec" $MOUNTLABEL}} 0 0
 
 {{range $value := .Mounts}}
 {{if $value.Writable}}
@@ -151,14 +151,6 @@ func getMemorySwap(v *execdriver.Resources) int64 {
 	return v.Memory * 2
 }
 
-func getProcessLabel(c map[string][]string) string {
-	return getLabel(c, "process")
-}
-
-func getMountLabel(c map[string][]string) string {
-	return getLabel(c, "mount")
-}
-
 func getLabel(c map[string][]string, name string) string {
 	label := c["label"]
 	for _, l := range label {
@@ -174,8 +166,6 @@ func init() {
 	var err error
 	funcMap := template.FuncMap{
 		"getMemorySwap":     getMemorySwap,
-		"getProcessLabel":   getProcessLabel,
-		"getMountLabel":     getMountLabel,
 		"escapeFstabSpaces": escapeFstabSpaces,
 		"formatMountLabel":  label.FormatMountLabel,
 	}