From 73617e5e18159e5f791d2860c7857cd5dea31be4 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 20 Aug 2014 16:36:42 -0400
Subject: [PATCH] Change default label of container volumes to shared SELinux
 Label

Since these will be shared between containers we want to label
them as svirt_sandbox_file_t:s0.  That will allow multiple containers
to write to them.

Currently we are allowing container domains to read/write all content in
/var/lib/docker because of container volumes.  This is a big security hole
in our SELinux story.

This patch will allow us to tighten up the security of docker containers.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
---
 daemon/graphdriver/vfs/driver.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/daemon/graphdriver/vfs/driver.go b/daemon/graphdriver/vfs/driver.go
index 2ea6325a1e..4075892c49 100644
--- a/daemon/graphdriver/vfs/driver.go
+++ b/daemon/graphdriver/vfs/driver.go
@@ -3,10 +3,12 @@ package vfs
 import (
 	"bytes"
 	"fmt"
-	"github.com/docker/docker/daemon/graphdriver"
 	"os"
 	"os/exec"
 	"path"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/libcontainer/label"
 )
 
 func init() {
@@ -67,6 +69,10 @@ func (d *Driver) Create(id, parent string) error {
 	if err := os.Mkdir(dir, 0755); err != nil {
 		return err
 	}
+	opts := []string{"level:s0"}
+	if _, mountLabel, err := label.InitLabels(opts); err == nil {
+		label.Relabel(dir, mountLabel, "")
+	}
 	if parent == "" {
 		return nil
 	}