mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #22993 from rhatdan/relabel
Multiple fixes for SELinux labels.
This commit is contained in:
commit
3f6fa8af45
3 changed files with 12 additions and 6 deletions
|
@ -118,7 +118,9 @@ func (container *Container) NetworkMounts() []Mount {
|
||||||
if _, err := os.Stat(container.ResolvConfPath); err != nil {
|
if _, err := os.Stat(container.ResolvConfPath); err != nil {
|
||||||
logrus.Warnf("ResolvConfPath set to %q, but can't stat this filename (err = %v); skipping", container.ResolvConfPath, err)
|
logrus.Warnf("ResolvConfPath set to %q, but can't stat this filename (err = %v); skipping", container.ResolvConfPath, err)
|
||||||
} else {
|
} else {
|
||||||
|
if !container.HasMountFor("/etc/resolv.conf") {
|
||||||
label.Relabel(container.ResolvConfPath, container.MountLabel, shared)
|
label.Relabel(container.ResolvConfPath, container.MountLabel, shared)
|
||||||
|
}
|
||||||
writable := !container.HostConfig.ReadonlyRootfs
|
writable := !container.HostConfig.ReadonlyRootfs
|
||||||
if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
|
if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
|
||||||
writable = m.RW
|
writable = m.RW
|
||||||
|
@ -135,7 +137,9 @@ func (container *Container) NetworkMounts() []Mount {
|
||||||
if _, err := os.Stat(container.HostnamePath); err != nil {
|
if _, err := os.Stat(container.HostnamePath); err != nil {
|
||||||
logrus.Warnf("HostnamePath set to %q, but can't stat this filename (err = %v); skipping", container.HostnamePath, err)
|
logrus.Warnf("HostnamePath set to %q, but can't stat this filename (err = %v); skipping", container.HostnamePath, err)
|
||||||
} else {
|
} else {
|
||||||
|
if !container.HasMountFor("/etc/hostname") {
|
||||||
label.Relabel(container.HostnamePath, container.MountLabel, shared)
|
label.Relabel(container.HostnamePath, container.MountLabel, shared)
|
||||||
|
}
|
||||||
writable := !container.HostConfig.ReadonlyRootfs
|
writable := !container.HostConfig.ReadonlyRootfs
|
||||||
if m, exists := container.MountPoints["/etc/hostname"]; exists {
|
if m, exists := container.MountPoints["/etc/hostname"]; exists {
|
||||||
writable = m.RW
|
writable = m.RW
|
||||||
|
@ -152,7 +156,9 @@ func (container *Container) NetworkMounts() []Mount {
|
||||||
if _, err := os.Stat(container.HostsPath); err != nil {
|
if _, err := os.Stat(container.HostsPath); err != nil {
|
||||||
logrus.Warnf("HostsPath set to %q, but can't stat this filename (err = %v); skipping", container.HostsPath, err)
|
logrus.Warnf("HostsPath set to %q, but can't stat this filename (err = %v); skipping", container.HostsPath, err)
|
||||||
} else {
|
} else {
|
||||||
|
if !container.HasMountFor("/etc/hosts") {
|
||||||
label.Relabel(container.HostsPath, container.MountLabel, shared)
|
label.Relabel(container.HostsPath, container.MountLabel, shared)
|
||||||
|
}
|
||||||
writable := !container.HostConfig.ReadonlyRootfs
|
writable := !container.HostConfig.ReadonlyRootfs
|
||||||
if m, exists := container.MountPoints["/etc/hosts"]; exists {
|
if m, exists := container.MountPoints["/etc/hosts"]; exists {
|
||||||
writable = m.RW
|
writable = m.RW
|
||||||
|
|
|
@ -142,8 +142,8 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig) (retC *containe
|
||||||
return container, nil
|
return container, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode) ([]string, error) {
|
func (daemon *Daemon) generateSecurityOpt(ipcMode containertypes.IpcMode, pidMode containertypes.PidMode, privileged bool) ([]string, error) {
|
||||||
if ipcMode.IsHost() || pidMode.IsHost() {
|
if ipcMode.IsHost() || pidMode.IsHost() || privileged {
|
||||||
return label.DisableSecOpt(), nil
|
return label.DisableSecOpt(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -247,7 +247,7 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
|
||||||
}
|
}
|
||||||
var err error
|
var err error
|
||||||
if hostConfig.SecurityOpt == nil {
|
if hostConfig.SecurityOpt == nil {
|
||||||
hostConfig.SecurityOpt, err = daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode)
|
hostConfig.SecurityOpt, err = daemon.generateSecurityOpt(hostConfig.IpcMode, hostConfig.PidMode, hostConfig.Privileged)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue