Commit Graph

8 Commits

Author SHA1 Message Date
Dan Walsh dd89eb9eca Add call to label to allow it to tell kernel how to label created files
SELinux supports a call that tells the kernel, from this point onward
create content with this label.  If you pass "", the kernel will
go back to the default.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-11-20 17:39:39 -05:00
Dan Walsh 50922caec2 Add new interfaces for label/selinux
We need the ability when using --ipc container:ID to match the SELinux label of the
container that the new container is sharing a label with.

Also add the ability to get the option to disable SELinux labeling for a container.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-10-29 16:39:14 -04:00
Dan Walsh 7f60c92d65 Do not check if SELinux is enabled on lowlevel calls to set processlabel
docker exec changes the mount namespace which fools selinux bindings
into thinking SELinux is disabled.  Bindings should just check if
a label is passed in and attempt to use it.  Docker will not call these
functions with a label if SELinux is disabled.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-10-11 06:04:52 -04:00
Dan Walsh f5d6269371 Allow docker to free container labels when containers are removed.
Currently we do not remove reservations on MCS labels when a container
is removed.  Not a big problem, since on reboot it would be freed.
But we should be cleaning this up.  Currently we support ~500,000
labels.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-08-20 17:07:38 -04:00
Dan Walsh bc3c671e21 Add label.InitLabels functioni. Allows generation of labels based on options
This will allow us to do the following with docker.

Customize the way that a labeling system like SELinux will run on a container.

    --label-opt="user:USER"  : Set the label user for the container
    --label-opt="role:ROLE"  : Set the label role for the container
    --label-opt="type:TYPE"  : Set the label type for the container
    --label-opt="level:LEVEL"  : Set the label level for the container
    --label-opt="disabled"  : Turn off label confinement for the container

Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels.  Genlabels interface is Deprecated.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-07-28 16:09:17 -04:00
Dan Walsh 49951d95c8 Allow caller to change the labels on a directory tree.
We want to add this to libcontainer so that we can change docker so that
when you volume mount into a labeled container, we want to allow the
administrator/user the ability to tell docker to fix the labels on the mount.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-07-09 14:40:13 -04:00
Michael Crosby 6ab3ef56f4 Update imports for new repository path 2014-06-10 08:14:16 -07:00
Michael Crosby 3b1acc34fb Move libcontainer deps into libcontainer
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-09 15:52:12 -07:00