From dedc7cc3296abc4f340d29effb693572ca2b7521 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 5 Jun 2018 15:25:32 -0400
Subject: Remove SELinux transition rule after conmon is started.

We have an issue where iptables command is being executed by podman
and attempted to run with a different label. This fix changes podman
to only change the label on the conmon command and then set the
SELinux interface back to the default.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #906
Approved by: giuseppe
---
 libpod/oci.go | 44 +++++++++++++++++++++++++++-----------------
 1 file changed, 27 insertions(+), 17 deletions(-)

diff --git a/libpod/oci.go b/libpod/oci.go
index b5b5fd81e..725819b54 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -284,22 +284,6 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er
 		"args": args,
 	}).Debugf("running conmon: %s", r.conmonPath)
 
-	if selinux.GetEnabled() {
-		// Set the label of the conmon process to be level :s0
-		// This will allow the container processes to talk to fifo-files
-		// passed into the container by conmon
-		plabel, err := selinux.CurrentLabel()
-		if err != nil {
-			return errors.Wrapf(err, "Failed to get current SELinux label")
-		}
-
-		c := selinux.NewContext(plabel)
-		if c["level"] != "s0" && c["level"] != "" {
-			c["level"] = "s0"
-			label.SetProcessLabel(c.Get())
-		}
-	}
-
 	cmd := exec.Command(r.conmonPath, args...)
 	cmd.Dir = ctr.bundlePath()
 	cmd.SysProcAttr = &syscall.SysProcAttr{
@@ -327,7 +311,33 @@ func (r *OCIRuntime) createOCIContainer(ctr *Container, cgroupParent string) (er
 		cmd.ExtraFiles = append(cmd.ExtraFiles, fds...)
 	}
 
-	err = cmd.Start()
+	if selinux.GetEnabled() {
+		// Set the label of the conmon process to be level :s0
+		// This will allow the container processes to talk to fifo-files
+		// passed into the container by conmon
+		plabel, err := selinux.CurrentLabel()
+		if err != nil {
+			childPipe.Close()
+			return errors.Wrapf(err, "Failed to get current SELinux label")
+		}
+
+		c := selinux.NewContext(plabel)
+		runtime.LockOSThread()
+		if c["level"] != "s0" && c["level"] != "" {
+			c["level"] = "s0"
+			if err := label.SetProcessLabel(c.Get()); err != nil {
+				runtime.UnlockOSThread()
+				return err
+			}
+		}
+		err = cmd.Start()
+		// Ignore error returned from SetProcessLabel("") call,
+		// can't recover.
+		label.SetProcessLabel("")
+		runtime.UnlockOSThread()
+	} else {
+		err = cmd.Start()
+	}
 	if err != nil {
 		childPipe.Close()
 		return err
-- 
cgit v1.2.3-54-g00ecf