SELinux supports a call that tells the kernel, from this point onward
create content with this label. If you pass "", the kernel will
go back to the default.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
We need the ability when using --ipc container:ID to match the SELinux label of the
container that the new container is sharing a label with.
Also add the ability to get the option to disable SELinux labeling for a container.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Currently we do not remove reservations on MCS labels when a container
is removed. Not a big problem, since on reboot it would be freed.
But we should be cleaning this up. Currently we support ~500,000
labels.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This will allow us to do the following with docker.
Customize the way that a labeling system like SELinux will run on a container.
--label-opt="user:USER" : Set the label user for the container
--label-opt="role:ROLE" : Set the label role for the container
--label-opt="type:TYPE" : Set the label type for the container
--label-opt="level:LEVEL" : Set the label level for the container
--label-opt="disabled" : Turn off label confinement for the container
Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels. Genlabels interface is Deprecated.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
We want to add this to libcontainer so that we can change docker so that
when you volume mount into a labeled container, we want to allow the
administrator/user the ability to tell docker to fix the labels on the mount.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Dan Walsh
Michael Crosby