diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-04-22 22:30:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-22 22:30:59 +0200 |
| commit | 2584d6bd58976de936ba5325d77068d7fb7935a7 (patch) | |
| tree | 6f0c1cc3a0fe189378371a102a20938b7f430cb6 /pkg/selinux/selinux.go | |
| parent | 576fe98bbcee7361251b437835125f93b4c10b15 (diff) | |
| parent | ede8380d37359d6ecf878c6e41db5c0f09bbadad (diff) | |
| download | podman-2584d6bd58976de936ba5325d77068d7fb7935a7.tar.gz podman-2584d6bd58976de936ba5325d77068d7fb7935a7.tar.bz2 podman-2584d6bd58976de936ba5325d77068d7fb7935a7.zip | |
Merge pull request #5936 from rhatdan/selinux1
Move selinux labeling support from pkg/util to pkg/selinux
Diffstat (limited to 'pkg/selinux/selinux.go')
| -rw-r--r-- | pkg/selinux/selinux.go | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/pkg/selinux/selinux.go b/pkg/selinux/selinux.go new file mode 100644 index 000000000..975519cce --- /dev/null +++ b/pkg/selinux/selinux.go @@ -0,0 +1,40 @@ +package selinux + +import ( + "github.com/opencontainers/selinux/go-selinux" +) + +// SELinuxKVMLabel returns labels for running kvm isolated containers +func SELinuxKVMLabel(cLabel string) (string, error) { + if cLabel == "" { + // selinux is disabled + return "", nil + } + processLabel, _ := selinux.KVMContainerLabels() + selinux.ReleaseLabel(processLabel) + return swapSELinuxLabel(cLabel, processLabel) +} + +// SELinuxInitLabel returns labels for running systemd based containers +func SELinuxInitLabel(cLabel string) (string, error) { + if cLabel == "" { + // selinux is disabled + return "", nil + } + processLabel, _ := selinux.InitContainerLabels() + selinux.ReleaseLabel(processLabel) + return swapSELinuxLabel(cLabel, processLabel) +} + +func swapSELinuxLabel(cLabel, processLabel string) (string, error) { + dcon, err := selinux.NewContext(cLabel) + if err != nil { + return "", err + } + scon, err := selinux.NewContext(processLabel) + if err != nil { + return "", err + } + dcon["type"] = scon["type"] + return dcon.Get(), nil +} |