From 61b2766e758f21b8b6bd32dc82ba624c2f0c5fd6 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 20 Nov 2014 17:20:26 -0500 Subject: [PATCH 1/2] Label content created for containers with the private label Currently this content gets a system label and is not writable based on SELinux controls. This patch will set the labels to the correct label. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) --- daemon/volumes.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/daemon/volumes.go b/daemon/volumes.go index a2cf3af33a..54cc0369dc 100644 --- a/daemon/volumes.go +++ b/daemon/volumes.go @@ -15,6 +15,7 @@ import ( "github.com/docker/docker/pkg/chrootarchive" "github.com/docker/docker/pkg/symlink" "github.com/docker/docker/volumes" + "github.com/docker/libcontainer/label" ) type Mount struct { @@ -235,15 +236,24 @@ func validMountMode(mode string) bool { } func (container *Container) setupMounts() error { + if err := label.SetFileLabel(container.ResolvConfPath, container.MountLabel); err != nil { + return err + } mounts := []execdriver.Mount{ {Source: container.ResolvConfPath, Destination: "/etc/resolv.conf", Writable: true, Private: true}, } if container.HostnamePath != "" { + if err := label.SetFileLabel(container.HostnamePath, container.MountLabel); err != nil { + return err + } mounts = append(mounts, execdriver.Mount{Source: container.HostnamePath, Destination: "/etc/hostname", Writable: true, Private: true}) } if container.HostsPath != "" { + if err := label.SetFileLabel(container.HostsPath, container.MountLabel); err != nil { + return err + } mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: true, Private: true}) } From 305e9cd2fab974c38064a1acd2ef1f552a3a1357 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 1 Dec 2014 14:54:14 -0500 Subject: [PATCH 2/2] Label standard mounts within loop Signed-off-by: Michael Crosby --- daemon/volumes.go | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/daemon/volumes.go b/daemon/volumes.go index 54cc0369dc..46ae5588af 100644 --- a/daemon/volumes.go +++ b/daemon/volumes.go @@ -236,25 +236,22 @@ func validMountMode(mode string) bool { } func (container *Container) setupMounts() error { - if err := label.SetFileLabel(container.ResolvConfPath, container.MountLabel); err != nil { - return err - } mounts := []execdriver.Mount{ {Source: container.ResolvConfPath, Destination: "/etc/resolv.conf", Writable: true, Private: true}, } if container.HostnamePath != "" { - if err := label.SetFileLabel(container.HostnamePath, container.MountLabel); err != nil { - return err - } mounts = append(mounts, execdriver.Mount{Source: container.HostnamePath, Destination: "/etc/hostname", Writable: true, Private: true}) } if container.HostsPath != "" { - if err := label.SetFileLabel(container.HostsPath, container.MountLabel); err != nil { + mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: true, Private: true}) + } + + for _, m := range mounts { + if err := label.SetFileLabel(m.Source, container.MountLabel); err != nil { return err } - mounts = append(mounts, execdriver.Mount{Source: container.HostsPath, Destination: "/etc/hosts", Writable: true, Private: true}) } // Mount user specified volumes