From 7c6034e161abf4b70fb0409718cc5aa8cd83cc88 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 30 May 2018 15:57:33 -0400 Subject: We need to change the SELinux label of the conmon process to s0 If SELinux is enabled, we are leaking in pipes into the container owned by conmon. The container processes are not allowed to use these pipes, if the calling process is fully ranged. By changing the level of the conmon process to s0, this allows container processes to use the pipes. Signed-off-by: Daniel J Walsh Closes: #854 Approved by: mheon --- libpod/oci.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/libpod/oci.go b/libpod/oci.go index 22519acbd..88e9c4cf4 100644 --- a/libpod/oci.go +++ b/libpod/oci.go @@ -19,6 +19,8 @@ import ( "github.com/containers/storage/pkg/idtools" "github.com/coreos/go-systemd/activation" spec "github.com/opencontainers/runtime-spec/specs-go" + selinux "github.com/opencontainers/selinux/go-selinux" + "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" @@ -282,6 +284,22 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er "args": args, }).Debugf("running conmon: %s", r.conmonPath) + if selinux.GetEnabled() { + // Set the label of the conmon process to be level :s0 + // This will allow the container processes to talk to fifo-files + // passed into the container by conmon + plabel, err := selinux.CurrentLabel() + if err != nil { + return errors.Wrapf(err, "Failed to get current SELinux label") + } + + c := selinux.NewContext(plabel) + if c["level"] != "s0" && c["level"] != "" { + c["level"] = "s0" + label.SetProcessLabel(c.Get()) + } + } + cmd := exec.Command(r.conmonPath, args...) cmd.Dir = ctr.bundlePath() cmd.SysProcAttr = &syscall.SysProcAttr{ -- cgit v1.2.3-54-g00ecf