summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libpod/container_internal.go6
-rw-r--r--pkg/selinux/selinux.go40
-rw-r--r--pkg/util/utils.go36
3 files changed, 43 insertions, 39 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 50bd9bc25..4cb80a98b 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -19,7 +19,7 @@ import (
"github.com/containers/libpod/pkg/hooks"
"github.com/containers/libpod/pkg/hooks/exec"
"github.com/containers/libpod/pkg/rootless"
- "github.com/containers/libpod/pkg/util"
+ "github.com/containers/libpod/pkg/selinux"
"github.com/containers/storage"
"github.com/containers/storage/pkg/archive"
"github.com/containers/storage/pkg/mount"
@@ -435,12 +435,12 @@ func (c *Container) setupStorage(ctx context.Context) error {
processLabel := containerInfo.ProcessLabel
switch {
case c.ociRuntime.SupportsKVM():
- processLabel, err = util.SELinuxKVMLabel(processLabel)
+ processLabel, err = selinux.SELinuxKVMLabel(processLabel)
if err != nil {
return err
}
case c.config.Systemd:
- processLabel, err = util.SELinuxInitLabel(processLabel)
+ processLabel, err = selinux.SELinuxInitLabel(processLabel)
if err != nil {
return err
}
diff --git a/pkg/selinux/selinux.go b/pkg/selinux/selinux.go
new file mode 100644
index 000000000..975519cce
--- /dev/null
+++ b/pkg/selinux/selinux.go
@@ -0,0 +1,40 @@
+package selinux
+
+import (
+ "github.com/opencontainers/selinux/go-selinux"
+)
+
+// SELinuxKVMLabel returns labels for running kvm isolated containers
+func SELinuxKVMLabel(cLabel string) (string, error) {
+ if cLabel == "" {
+ // selinux is disabled
+ return "", nil
+ }
+ processLabel, _ := selinux.KVMContainerLabels()
+ selinux.ReleaseLabel(processLabel)
+ return swapSELinuxLabel(cLabel, processLabel)
+}
+
+// SELinuxInitLabel returns labels for running systemd based containers
+func SELinuxInitLabel(cLabel string) (string, error) {
+ if cLabel == "" {
+ // selinux is disabled
+ return "", nil
+ }
+ processLabel, _ := selinux.InitContainerLabels()
+ selinux.ReleaseLabel(processLabel)
+ return swapSELinuxLabel(cLabel, processLabel)
+}
+
+func swapSELinuxLabel(cLabel, processLabel string) (string, error) {
+ dcon, err := selinux.NewContext(cLabel)
+ if err != nil {
+ return "", err
+ }
+ scon, err := selinux.NewContext(processLabel)
+ if err != nil {
+ return "", err
+ }
+ dcon["type"] = scon["type"]
+ return dcon.Get(), nil
+}
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index 55e775d7a..64331cf66 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -22,7 +22,6 @@ import (
"github.com/containers/storage"
"github.com/containers/storage/pkg/idtools"
v1 "github.com/opencontainers/image-spec/specs-go/v1"
- "github.com/opencontainers/selinux/go-selinux"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"golang.org/x/crypto/ssh/terminal"
@@ -647,41 +646,6 @@ func ValidateSysctls(strSlice []string) (map[string]string, error) {
return sysctl, nil
}
-// SELinuxKVMLabel returns labels for running kvm isolated containers
-func SELinuxKVMLabel(cLabel string) (string, error) {
- if cLabel == "" {
- // selinux is disabled
- return "", nil
- }
- processLabel, _ := selinux.KVMContainerLabels()
- selinux.ReleaseLabel(processLabel)
- return swapSELinuxLabel(cLabel, processLabel)
-}
-
-// SELinuxInitLabel returns labels for running systemd based containers
-func SELinuxInitLabel(cLabel string) (string, error) {
- if cLabel == "" {
- // selinux is disabled
- return "", nil
- }
- processLabel, _ := selinux.InitContainerLabels()
- selinux.ReleaseLabel(processLabel)
- return swapSELinuxLabel(cLabel, processLabel)
-}
-
-func swapSELinuxLabel(cLabel, processLabel string) (string, error) {
- dcon, err := selinux.NewContext(cLabel)
- if err != nil {
- return "", err
- }
- scon, err := selinux.NewContext(processLabel)
- if err != nil {
- return "", err
- }
- dcon["type"] = scon["type"]
- return dcon.Get(), nil
-}
-
func DefaultContainerConfig() *config.Config {
return containerConfig
}