From 71bac2ca670d90c85869f14d23029c62e26c4813 Mon Sep 17 00:00:00 2001
From: Michael Crosby <michael@crosbymichael.com>
Date: Thu, 17 Apr 2014 23:47:27 +0000
Subject: [PATCH 1/2] Initial work on selinux patch

This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
---
 nsinit/init.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nsinit/init.go b/nsinit/init.go
index 4e50bc51..36c8cd12 100644
--- a/nsinit/init.go
+++ b/nsinit/init.go
@@ -75,8 +75,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		}
 	}
 	runtime.LockOSThread()
+
 	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
-		return fmt.Errorf("SetProcessLabel label %s", err)
+		return fmt.Errorf("set process label %s", err)
 	}
 	ns.logger.Printf("execing %s\n", args[0])
 	return system.Execv(args[0], args[0:], container.Env)

From f6bccef4d780bfeaca6895eed6227243af68bcfe Mon Sep 17 00:00:00 2001
From: Michael Crosby <michael@crosbymichael.com>
Date: Tue, 29 Apr 2014 03:41:44 -0700
Subject: [PATCH 2/2] Add mountlabel to dev Docker-DCO-1.1-Signed-off-by:
 Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

---
 mount/init.go | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/mount/init.go b/mount/init.go
index 06b2c82f..735970cd 100644
--- a/mount/init.go
+++ b/mount/init.go
@@ -4,14 +4,15 @@ package mount
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
+	"syscall"
+
 	"github.com/dotcloud/docker/pkg/label"
 	"github.com/dotcloud/docker/pkg/libcontainer"
 	"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"
 	"github.com/dotcloud/docker/pkg/libcontainer/security/restrict"
 	"github.com/dotcloud/docker/pkg/system"
-	"os"
-	"path/filepath"
-	"syscall"
 )
 
 // default mount point flags
@@ -130,11 +131,12 @@ func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mo
 	}
 
 	if len(mounts.OfType("devtmpfs")) == 1 {
-		systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"})
+		systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)})
 	}
 	systemMounts = append(systemMounts,
 		mount{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
-		mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)})
+		mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
+	)
 
 	if len(mounts.OfType("sysfs")) == 1 {
 		systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})