diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2018-06-05 15:25:32 -0400 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-06-06 18:23:37 +0000 |
commit | dedc7cc3296abc4f340d29effb693572ca2b7521 (patch) | |
tree | 237a973fc78bd59acd7818c409eb1362ff3eea0c | |
parent | 7b2b2bc631718cd2e6640f66551f8f41e8bf99d3 (diff) | |
download | podman-dedc7cc3296abc4f340d29effb693572ca2b7521.tar.gz podman-dedc7cc3296abc4f340d29effb693572ca2b7521.tar.bz2 podman-dedc7cc3296abc4f340d29effb693572ca2b7521.zip |
Remove SELinux transition rule after conmon is started.
We have an issue where iptables command is being executed by podman
and attempted to run with a different label. This fix changes podman
to only change the label on the conmon command and then set the
SELinux interface back to the default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #906
Approved by: giuseppe
-rw-r--r-- | libpod/oci.go | 44 |
1 files changed, 27 insertions, 17 deletions
diff --git a/libpod/oci.go b/libpod/oci.go index b5b5fd81e..725819b54 100644 --- a/libpod/oci.go +++ b/libpod/oci.go @@ -284,22 +284,6 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er "args": args, }).Debugf("running conmon: %s", r.conmonPath) - if selinux.GetEnabled() { - // Set the label of the conmon process to be level :s0 - // This will allow the container processes to talk to fifo-files - // passed into the container by conmon - plabel, err := selinux.CurrentLabel() - if err != nil { - return errors.Wrapf(err, "Failed to get current SELinux label") - } - - c := selinux.NewContext(plabel) - if c["level"] != "s0" && c["level"] != "" { - c["level"] = "s0" - label.SetProcessLabel(c.Get()) - } - } - cmd := exec.Command(r.conmonPath, args...) cmd.Dir = ctr.bundlePath() cmd.SysProcAttr = &syscall.SysProcAttr{ @@ -327,7 +311,33 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er cmd.ExtraFiles = append(cmd.ExtraFiles, fds...) } - err = cmd.Start() + if selinux.GetEnabled() { + // Set the label of the conmon process to be level :s0 + // This will allow the container processes to talk to fifo-files + // passed into the container by conmon + plabel, err := selinux.CurrentLabel() + if err != nil { + childPipe.Close() + return errors.Wrapf(err, "Failed to get current SELinux label") + } + + c := selinux.NewContext(plabel) + runtime.LockOSThread() + if c["level"] != "s0" && c["level"] != "" { + c["level"] = "s0" + if err := label.SetProcessLabel(c.Get()); err != nil { + runtime.UnlockOSThread() + return err + } + } + err = cmd.Start() + // Ignore error returned from SetProcessLabel("") call, + // can't recover. + label.SetProcessLabel("") + runtime.UnlockOSThread() + } else { + err = cmd.Start() + } if err != nil { childPipe.Close() return err |