summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-06-05 15:25:32 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-06-06 18:23:37 +0000
commitdedc7cc3296abc4f340d29effb693572ca2b7521 (patch)
tree237a973fc78bd59acd7818c409eb1362ff3eea0c
parent7b2b2bc631718cd2e6640f66551f8f41e8bf99d3 (diff)
downloadpodman-dedc7cc3296abc4f340d29effb693572ca2b7521.tar.gz
podman-dedc7cc3296abc4f340d29effb693572ca2b7521.tar.bz2
podman-dedc7cc3296abc4f340d29effb693572ca2b7521.zip
Remove SELinux transition rule after conmon is started.
We have an issue where iptables command is being executed by podman and attempted to run with a different label. This fix changes podman to only change the label on the conmon command and then set the SELinux interface back to the default. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #906 Approved by: giuseppe
-rw-r--r--libpod/oci.go44
1 files changed, 27 insertions, 17 deletions
diff --git a/libpod/oci.go b/libpod/oci.go
index b5b5fd81e..725819b54 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -284,22 +284,6 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er
"args": args,
}).Debugf("running conmon: %s", r.conmonPath)
- if selinux.GetEnabled() {
- // Set the label of the conmon process to be level :s0
- // This will allow the container processes to talk to fifo-files
- // passed into the container by conmon
- plabel, err := selinux.CurrentLabel()
- if err != nil {
- return errors.Wrapf(err, "Failed to get current SELinux label")
- }
-
- c := selinux.NewContext(plabel)
- if c["level"] != "s0" && c["level"] != "" {
- c["level"] = "s0"
- label.SetProcessLabel(c.Get())
- }
- }
-
cmd := exec.Command(r.conmonPath, args...)
cmd.Dir = ctr.bundlePath()
cmd.SysProcAttr = &syscall.SysProcAttr{
@@ -327,7 +311,33 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er
cmd.ExtraFiles = append(cmd.ExtraFiles, fds...)
}
- err = cmd.Start()
+ if selinux.GetEnabled() {
+ // Set the label of the conmon process to be level :s0
+ // This will allow the container processes to talk to fifo-files
+ // passed into the container by conmon
+ plabel, err := selinux.CurrentLabel()
+ if err != nil {
+ childPipe.Close()
+ return errors.Wrapf(err, "Failed to get current SELinux label")
+ }
+
+ c := selinux.NewContext(plabel)
+ runtime.LockOSThread()
+ if c["level"] != "s0" && c["level"] != "" {
+ c["level"] = "s0"
+ if err := label.SetProcessLabel(c.Get()); err != nil {
+ runtime.UnlockOSThread()
+ return err
+ }
+ }
+ err = cmd.Start()
+ // Ignore error returned from SetProcessLabel("") call,
+ // can't recover.
+ label.SetProcessLabel("")
+ runtime.UnlockOSThread()
+ } else {
+ err = cmd.Start()
+ }
if err != nil {
childPipe.Close()
return err