jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add value checking on relabel command for selinux 

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This commit is contained in:
Dan Walsh 2015-04-06 10:07:08 -04:00
parent bd8ec36106
commit 4518bce5bb
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
label/label_selinux.go
View File

@ -104,7 +104,13 @@ func Relabel(path string, fileLabel string, relabel string) error {
if fileLabel == "" {
return nil
}
if relabel == "z" {
if !strings.ContainsAny(relabel, "zZ") {
return nil
}
if strings.Contains(relabel, "z") && strings.Contains(relabel, "Z") {
return fmt.Errorf("Bad SELinux option z and Z can not be used together")
}
if strings.Contains(relabel, "z") {
c := selinux.NewContext(fileLabel)
c["level"] = "s0"
fileLabel = c.Get()

19
label/label_selinux_test.go
View File

@ -87,3 +87,22 @@ func TestDuplicateLabel(t *testing.T) {
t.Errorf("DisableSecOpt Failed level incorrect")
}
}
func TestRelabel(t *testing.T) {
testdir := "/tmp/test"
label := "system_u:system_r:svirt_sandbox_file_t:s0:c1,c2"
if err := Relabel(testdir, "", "z"); err != nil {
t.Fatal("Relabel with no label failed: %v", err)
}
if err := Relabel(testdir, label, ""); err != nil {
t.Fatal("Relabel with no relabel field failed: %v", err)
}
if err := Relabel(testdir, label, "z"); err != nil {
t.Fatal("Relabel shared failed: %v", err)
}
if err := Relabel(testdir, label, "Z"); err != nil {
t.Fatal("Relabel unshared failed: %v", err)
}
if err := Relabel(testdir, label, "zZ"); err == nil {
t.Fatal("Relabel with shared and unshared succeeded: %v", err)
}
}