Two SELinux Changes.
daemon/volumes.go This SetFileCon call made no sense, it was changing the labels of any directory mounted into the containers SELinux label. If it came from me, then I apologize since it is a huge bug. The Volumes Mount code should optionally do this, but it should not always happen, and should never happen on a --privileged container. The change to daemon/graphdriver/vfs/driver.go, is a simplification since this it not a relabel, it is only a setting of the shared label for docker volumes. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This commit is contained in:
Dan Walsh
parent
e4a90897e1
commit
4eb2fd169f
2 changed files with 1 additions and 8 deletions
|
|
@ -47,7 +47,7 @@ func (d *Driver) Create(id, parent string) error {
|
|||
}
|
||||
opts := []string{"level:s0"}
|
||||
if _, mountLabel, err := label.InitLabels(opts); err == nil {
|
||||
label.Relabel(dir, mountLabel, "")
|
||||
label.SetFileLabel(dir, mountLabel)
|
||||
}
|
||||
if parent == "" {
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ import (
|
|||
"github.com/docker/docker/pkg/chrootarchive"
|
||||
"github.com/docker/docker/pkg/symlink"
|
||||
"github.com/docker/docker/volumes"
|
||||
"github.com/docker/libcontainer/label"
|
||||
)
|
||||
|
||||
type Mount struct {
|
||||
|
|
@ -344,12 +343,6 @@ func (container *Container) setupMounts() error {
|
|||
mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: true, Private: true})
|
||||
}
|
||||
|
||||
for _, m := range mounts {
|
||||
if err := label.SetFileLabel(m.Source, container.MountLabel); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
container.command.Mounts = mounts
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue