Do not check if SELinux is enabled on lowlevel calls to set processlabel

docker exec changes the mount namespace which fools selinux bindings
into thinking SELinux is disabled.  Bindings should just check if
a label is passed in and attempt to use it.  Docker will not call these
functions with a label if SELinux is disabled.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This commit is contained in:
Dan Walsh 2014-10-10 16:16:00 -04:00
parent f4254672e6
commit 7f60c92d65
2 changed files with 6 additions and 18 deletions

View File

@ -67,20 +67,17 @@ func FormatMountLabel(src, mountLabel string) string {
// SetProcessLabel takes a process label and tells the kernel to assign the
// label to the next program executed by the current process.
func SetProcessLabel(processLabel string) error {
if selinux.SelinuxEnabled() {
return selinux.Setexeccon(processLabel)
}
if processLabel == "" {
return nil
}
return selinux.Setexeccon(processLabel)
}
// GetProcessLabel returns the process label that the kernel will assign
// to the next program executed by the current process. If "" is returned
// this indicates that the default labeling will happen for the process.
func GetProcessLabel() (string, error) {
if selinux.SelinuxEnabled() {
return selinux.Getexeccon()
}
return "", nil
}
// SetFileLabel modifies the "path" label to the specified file label
@ -110,9 +107,6 @@ func Relabel(path string, fileLabel string, relabel string) error {
// GetPidLabel will return the label of the process running with the specified pid
func GetPidLabel(pid int) (string, error) {
if !selinux.SelinuxEnabled() {
return "", nil
}
return selinux.Getpidcon(pid)
}

View File

@ -173,13 +173,10 @@ func Getpidcon(pid int) (string, error) {
}
func Getexeccon() (string, error) {
return readCon("/proc/self/attr/exec")
return readCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()))
}
func writeCon(name string, val string) error {
if !SelinuxEnabled() {
return nil
}
out, err := os.OpenFile(name, os.O_WRONLY, 0)
if err != nil {
return err
@ -388,9 +385,6 @@ func SecurityCheckContext(val string) error {
}
func CopyLevel(src, dest string) (string, error) {
if !SelinuxEnabled() {
return "", nil
}
if src == "" {
return "", nil
}
@ -424,7 +418,7 @@ func badPrefix(fpath string) error {
// If the fpath is a directory and recurse is true Chcon will walk the
// directory tree setting the label
func Chcon(fpath string, scon string, recurse bool) error {
if !SelinuxEnabled() {
if scon == "" {
return nil
}
if err := badPrefix(fpath); err != nil {