docker exec changes the mount namespace which fools selinux bindings
into thinking SELinux is disabled. Bindings should just check if
a label is passed in and attempt to use it. Docker will not call these
functions with a label if SELinux is disabled.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Currently we do not remove reservations on MCS labels when a container
is removed. Not a big problem, since on reboot it would be freed.
But we should be cleaning this up. Currently we support ~500,000
labels.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This will allow us to do the following with docker.
Customize the way that a labeling system like SELinux will run on a container.
--label-opt="user:USER" : Set the label user for the container
--label-opt="role:ROLE" : Set the label role for the container
--label-opt="type:TYPE" : Set the label type for the container
--label-opt="level:LEVEL" : Set the label level for the container
--label-opt="disabled" : Turn off label confinement for the container
Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels. Genlabels interface is Deprecated.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
We want to add this to libcontainer so that we can change docker so that
when you volume mount into a labeled container, we want to allow the
administrator/user the ability to tell docker to fix the labels on the mount.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)