From 4eb2fd169f8c9adbee4a9a0bd387f96b4e725963 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 5 Mar 2015 13:47:40 -0500 Subject: [PATCH] Two SELinux Changes. daemon/volumes.go This SetFileCon call made no sense, it was changing the labels of any directory mounted into the containers SELinux label. If it came from me, then I apologize since it is a huge bug. The Volumes Mount code should optionally do this, but it should not always happen, and should never happen on a --privileged container. The change to daemon/graphdriver/vfs/driver.go, is a simplification since this it not a relabel, it is only a setting of the shared label for docker volumes. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) --- daemon/graphdriver/vfs/driver.go | 2 +- daemon/volumes.go | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/daemon/graphdriver/vfs/driver.go b/daemon/graphdriver/vfs/driver.go index fe4d38230e..47d70fde5c 100644 --- a/daemon/graphdriver/vfs/driver.go +++ b/daemon/graphdriver/vfs/driver.go @@ -47,7 +47,7 @@ func (d *Driver) Create(id, parent string) error { } opts := []string{"level:s0"} if _, mountLabel, err := label.InitLabels(opts); err == nil { - label.Relabel(dir, mountLabel, "") + label.SetFileLabel(dir, mountLabel) } if parent == "" { return nil diff --git a/daemon/volumes.go b/daemon/volumes.go index c9007615c0..16d00dd945 100644 --- a/daemon/volumes.go +++ b/daemon/volumes.go @@ -15,7 +15,6 @@ import ( "github.com/docker/docker/pkg/chrootarchive" "github.com/docker/docker/pkg/symlink" "github.com/docker/docker/volumes" - "github.com/docker/libcontainer/label" ) type Mount struct { @@ -344,12 +343,6 @@ func (container *Container) setupMounts() error { mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: true, Private: true}) } - for _, m := range mounts { - if err := label.SetFileLabel(m.Source, container.MountLabel); err != nil { - return err - } - } - container.command.Mounts = mounts return nil }