We need to change the SELinux label of the conmon process to s0

If SELinux is enabled, we are leaking in pipes into the container
owned by conmon.  The container processes are not allowed to use
these pipes, if the calling process is fully ranged.  By changing
the level of the conmon process to s0, this allows container processes
to use the pipes.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #854
Approved by: mheon

1 files changed, 18 insertions, 0 deletions

diff --git a/libpod/oci.go b/libpod/oci.go
index 22519acbd..88e9c4cf4 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -19,6 +19,8 @@ import (
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/coreos/go-systemd/activation"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	selinux "github.com/opencontainers/selinux/go-selinux"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -282,6 +284,22 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er
 		"args": args,
 	}).Debugf("running conmon: %s", r.conmonPath)
 
+	if selinux.GetEnabled() {
+		// Set the label of the conmon process to be level :s0
+		// This will allow the container processes to talk to fifo-files
+		// passed into the container by conmon
+		plabel, err := selinux.CurrentLabel()
+		if err != nil {
+			return errors.Wrapf(err, "Failed to get current SELinux label")
+		}
+
+		c := selinux.NewContext(plabel)
+		if c["level"] != "s0" && c["level"] != "" {
+			c["level"] = "s0"
+			label.SetProcessLabel(c.Get())
+		}
+	}
+
 	cmd := exec.Command(r.conmonPath, args...)
 	cmd.Dir = ctr.bundlePath()
 	cmd.SysProcAttr = &syscall.SysProcAttr{