containers
/
storage
mirror of https://github.com/containers/storage.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't hard code SELinux labels into code 

These labels can be changed based on installed policy.

I am working on allowing containers within containers, but this
will require different SELinux label types other then container_file_t.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2023-02-22 17:46:07 -05:00
parent 06974143fa
commit 01b671bc79
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/overlay/overlay.go
View File

@ -47,8 +47,7 @@ var (
)
const (
defaultPerms = os.FileMode(0555)
selinuxLabelTest = "system_u:object_r:container_file_t:s0"
defaultPerms = os.FileMode(0555)
)
// This backend uses the overlay union filesystem for containers
@ -657,6 +656,8 @@ func SupportsNativeOverlay(home, runhome string) (bool, error) {
func supportsOverlay(home string, homeMagic graphdriver.FsMagic, rootUID, rootGID int) (supportsDType bool, err error) {
// We can try to modprobe overlay first
selinuxLabelTest := selinux.PrivContainerMountLabel()
exec.Command("modprobe", "overlay").Run()
logLevel := logrus.ErrorLevel