Merge pull request #461 from ahmetalpbalkan/selinux-setenforce

selinux: add SelinuxSetEnforceMode implementation

libcontainer/selinux/selinux.go

@@ -231,10 +231,14 @@ func ReserveLabel(scon string) {
 	}
 }
 
+func selinuxEnforcePath() string {
+	return fmt.Sprintf("%s/enforce", selinuxPath)
+}
+
 func SelinuxGetEnforce() int {
 	var enforce int
 
-	enforceS, err := readCon(fmt.Sprintf("%s/enforce", selinuxPath))
+	enforceS, err := readCon(selinuxEnforcePath())
 	if err != nil {
 		return -1
 	}
@@ -246,6 +250,10 @@ func SelinuxGetEnforce() int {
 	return enforce
 }
 
+func SelinuxSetEnforce(mode int) error {
+	return writeCon(selinuxEnforcePath(), fmt.Sprintf("%d", mode))
+}
+
 func SelinuxGetEnforceMode() int {
 	switch readConfig(selinuxTag) {
 	case "enforcing":

libcontainer/selinux/selinux_test.go

@@ -40,7 +40,18 @@ func TestSELinux(t *testing.T) {
 		t.Log(flabel)
 		selinux.FreeLxcContexts(plabel)
 		t.Log("getenforce ", selinux.SelinuxGetEnforce())
-		t.Log("getenforcemode ", selinux.SelinuxGetEnforceMode())
+		mode := selinux.SelinuxGetEnforceMode()
+		t.Log("getenforcemode ", mode)
+
+		defer selinux.SelinuxSetEnforce(mode)
+		if err := selinux.SelinuxSetEnforce(selinux.Enforcing); err != nil {
+			t.Fatalf("enforcing selinux failed: %v", err)
+		}
+		if err := selinux.SelinuxSetEnforce(selinux.Permissive); err != nil {
+			t.Fatalf("setting selinux mode to permissive failed: %v", err)
+		}
+		selinux.SelinuxSetEnforce(mode)
+
 		pid := os.Getpid()
 		t.Logf("PID:%d MCS:%s\n", pid, selinux.IntToMcs(pid, 1023))
 		err = selinux.Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")