From dcf994b4f8e6c4f63305b6d9331a9097934f46a6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 2 Apr 2019 10:23:59 -0400 Subject: [PATCH] Fix SELinux failures on disabled SELinux Machines On some machines when setting the SELinux key labels to "", we are seeing failures that cause runc to fail. Even if SELinux is disabled. This check will ignore callers calling SELinux Set*Label functions with "" when SELinux is disabled. Signed-off-by: Daniel J Walsh --- vendor.conf | 2 +- .../opencontainers/selinux/go-selinux/selinux_linux.go | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/vendor.conf b/vendor.conf index 48dfc952..fb97650d 100644 --- a/vendor.conf +++ b/vendor.conf @@ -5,7 +5,7 @@ github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # Core libcontainer functionality. github.com/checkpoint-restore/go-criu v3.11 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08 -github.com/opencontainers/selinux v1.2 +github.com/opencontainers/selinux v1.2.1 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16 diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go index 1f50440c..51fa8de6 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go @@ -333,6 +333,11 @@ func writeCon(fpath string, val string) error { if fpath == "" { return ErrEmptyPath } + if val == "" { + if !GetEnabled() { + return nil + } + } out, err := os.OpenFile(fpath, os.O_WRONLY, 0) if err != nil {