Initial work on selinux patch

This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

daemon/container.go

@@ -11,6 +11,7 @@ import (
 	"github.com/dotcloud/docker/image"
 	"github.com/dotcloud/docker/links"
 	"github.com/dotcloud/docker/nat"
+	"github.com/dotcloud/docker/pkg/selinux"
 	"github.com/dotcloud/docker/runconfig"
 	"github.com/dotcloud/docker/utils"
 	"io"
@@ -64,7 +65,8 @@ type Container struct {
 	stdin     io.ReadCloser
 	stdinPipe io.WriteCloser
 
-	daemon *Daemon
+	daemon                   *Daemon
+	mountLabel, processLabel string
 
 	waitLock chan struct{}
 	Volumes  map[string]string
@@ -320,9 +322,11 @@ func (container *Container) Attach(stdin io.ReadCloser, stdinCloser io.Closer, s
 
 func populateCommand(c *Container, env []string) {
 	var (
-		en           *execdriver.Network
+		en      *execdriver.Network
-		driverConfig = make(map[string][]string)
+		context = make(map[string][]string)
 	)
+	context["process_label"] = []string{c.processLabel}
+	context["mount_label"] = []string{c.mountLabel}
 
 	en = &execdriver.Network{
 		Mtu:       c.daemon.config.Mtu,
@@ -340,7 +344,7 @@ func populateCommand(c *Container, env []string) {
 	}
 
 	// TODO: this can be removed after lxc-conf is fully deprecated
-	mergeLxcConfIntoOptions(c.hostConfig, driverConfig)
+	mergeLxcConfIntoOptions(c.hostConfig, context)
 
 	resources := &execdriver.Resources{
 		Memory:     c.Config.Memory,
@@ -358,7 +362,7 @@ func populateCommand(c *Container, env []string) {
 		Network:    en,
 		Tty:        c.Config.Tty,
 		User:       c.Config.User,
-		Config:     driverConfig,
+		Config:     context,
 		Resources:  resources,
 	}
 	c.command.SysProcAttr = &syscall.SysProcAttr{Setsid: true}
@@ -383,6 +387,12 @@ func (container *Container) Start() (err error) {
 	if err := container.setupContainerDns(); err != nil {
 		return err
 	}
+
+	process, mount := selinux.GetLxcContexts()
+
+	container.mountLabel = mount
+	container.processLabel = process
+
 	if err := container.Mount(); err != nil {
 		return err
 	}

daemon/daemon.go

@@ -543,10 +543,10 @@ func (daemon *Daemon) createRootfs(container *Container, img *image.Image) error
 		return err
 	}
 	initID := fmt.Sprintf("%s-init", container.ID)
-	if err := daemon.driver.Create(initID, img.ID, ""); err != nil {
+	if err := daemon.driver.Create(initID, img.ID); err != nil {
 		return err
 	}
-	initPath, err := daemon.driver.Get(initID)
+	initPath, err := daemon.driver.Get(initID, "")
 	if err != nil {
 		return err
 	}
@@ -556,7 +556,7 @@ func (daemon *Daemon) createRootfs(container *Container, img *image.Image) error
 		return err
 	}
 
-	if err := daemon.driver.Create(container.ID, initID, ""); err != nil {
+	if err := daemon.driver.Create(container.ID, initID); err != nil {
 		return err
 	}
 	return nil
@@ -670,7 +670,6 @@ func NewDaemonFromDirectory(config *daemonconfig.Config, eng *engine.Engine) (*D
 	if !config.EnableSelinuxSupport {
 		selinux.SetDisabled()
 	}
-
 	// Set the default driver
 	graphdriver.DefaultDriver = config.GraphDriver
 
@@ -840,7 +839,7 @@ func (daemon *Daemon) Close() error {
 }
 
 func (daemon *Daemon) Mount(container *Container) error {
-	dir, err := daemon.driver.Get(container.ID)
+	dir, err := daemon.driver.Get(container.ID, container.mountLabel)
 	if err != nil {
 		return fmt.Errorf("Error getting container %s from driver %s: %s", container.ID, daemon.driver, err)
 	}
@@ -862,12 +861,12 @@ func (daemon *Daemon) Changes(container *Container) ([]archive.Change, error) {
 	if differ, ok := daemon.driver.(graphdriver.Differ); ok {
 		return differ.Changes(container.ID)
 	}
-	cDir, err := daemon.driver.Get(container.ID)
+	cDir, err := daemon.driver.Get(container.ID, "")
 	if err != nil {
 		return nil, fmt.Errorf("Error getting container rootfs %s from driver %s: %s", container.ID, container.daemon.driver, err)
 	}
 	defer daemon.driver.Put(container.ID)
-	initDir, err := daemon.driver.Get(container.ID + "-init")
+	initDir, err := daemon.driver.Get(container.ID+"-init", "")
 	if err != nil {
 		return nil, fmt.Errorf("Error getting container init rootfs %s from driver %s: %s", container.ID, container.daemon.driver, err)
 	}
@@ -885,7 +884,7 @@ func (daemon *Daemon) Diff(container *Container) (archive.Archive, error) {
 		return nil, err
 	}
 
-	cDir, err := daemon.driver.Get(container.ID)
+	cDir, err := daemon.driver.Get(container.ID, "")
 	if err != nil {
 		return nil, fmt.Errorf("Error getting container rootfs %s from driver %s: %s", container.ID, container.daemon.driver, err)
 	}

daemon/execdriver/native/create.go

@@ -8,7 +8,6 @@ import (
 	"github.com/dotcloud/docker/daemon/execdriver/native/configuration"
 	"github.com/dotcloud/docker/daemon/execdriver/native/template"
 	"github.com/dotcloud/docker/pkg/apparmor"
-	"github.com/dotcloud/docker/pkg/label"
 	"github.com/dotcloud/docker/pkg/libcontainer"
 )
 
@@ -119,14 +118,7 @@ func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Co
 }
 
 func (d *driver) setupLabels(container *libcontainer.Container, c *execdriver.Command) error {
-	labels := c.Config["label"]
+	container.Context["process_label"] = c.Config["process_label"][0]
-	if len(labels) > 0 {
+	container.Context["mount_label"] = c.Config["mount_label"][0]
-		process, mount, err := label.GenLabels(labels[0])
-		if err != nil {
-			return err
-		}
-		container.Context["mount_label"] = mount
-		container.Context["process_label"] = process
-	}
 	return nil
 }

daemon/graphdriver/aufs/aufs.go

@@ -25,6 +25,7 @@ import (
 	"fmt"
 	"github.com/dotcloud/docker/archive"
 	"github.com/dotcloud/docker/daemon/graphdriver"
+	"github.com/dotcloud/docker/pkg/label"
 	mountpk "github.com/dotcloud/docker/pkg/mount"
 	"github.com/dotcloud/docker/utils"
 	"os"
@@ -134,7 +135,7 @@ func (a Driver) Exists(id string) bool {
 
 // Three folders are created for each id
 // mnt, layers, and diff
-func (a *Driver) Create(id, parent string, mountLabel string) error {
+func (a *Driver) Create(id, parent string) error {
 	if err := a.createDirsFor(id); err != nil {
 		return err
 	}
@@ -218,7 +219,7 @@ func (a *Driver) Remove(id string) error {
 
 // Return the rootfs path for the id
 // This will mount the dir at it's given path
-func (a *Driver) Get(id string) (string, error) {
+func (a *Driver) Get(id, mountLabel string) (string, error) {
 	ids, err := getParentIds(a.rootPath(), id)
 	if err != nil {
 		if !os.IsNotExist(err) {
@@ -240,7 +241,7 @@ func (a *Driver) Get(id string) (string, error) {
 		out = path.Join(a.rootPath(), "mnt", id)
 
 		if count == 0 {
-			if err := a.mount(id); err != nil {
+			if err := a.mount(id, mountLabel); err != nil {
 				return "", err
 			}
 		}
@@ -309,7 +310,7 @@ func (a *Driver) getParentLayerPaths(id string) ([]string, error) {
 	return layers, nil
 }
 
-func (a *Driver) mount(id string) error {
+func (a *Driver) mount(id, mountLabel string) error {
 	// If the id is mounted or we get an error return
 	if mounted, err := a.mounted(id); err != nil || mounted {
 		return err
@@ -325,7 +326,7 @@ func (a *Driver) mount(id string) error {
 		return err
 	}
 
-	if err := a.aufsMount(layers, rw, target); err != nil {
+	if err := a.aufsMount(layers, rw, target, mountLabel); err != nil {
 		return err
 	}
 	return nil
@@ -358,21 +359,21 @@ func (a *Driver) Cleanup() error {
 	return nil
 }
 
-func (a *Driver) aufsMount(ro []string, rw, target string) (err error) {
+func (a *Driver) aufsMount(ro []string, rw, target, mountLabel string) (err error) {
 	defer func() {
 		if err != nil {
 			Unmount(target)
 		}
 	}()
 
-	if err = a.tryMount(ro, rw, target); err != nil {
+	if err = a.tryMount(ro, rw, target, mountLabel); err != nil {
-		if err = a.mountRw(rw, target); err != nil {
+		if err = a.mountRw(rw, target, mountLabel); err != nil {
 			return
 		}
 
 		for _, layer := range ro {
-			branch := fmt.Sprintf("append:%s=ro+wh", layer)
+			data := label.FormatMountLabel(fmt.Sprintf("append:%s=ro+wh", layer), mountLabel)
-			if err = mount("none", target, "aufs", MsRemount, branch); err != nil {
+			if err = mount("none", target, "aufs", MsRemount, data); err != nil {
 				return
 			}
 		}
@@ -382,16 +383,18 @@ func (a *Driver) aufsMount(ro []string, rw, target string) (err error) {
 
 // Try to mount using the aufs fast path, if this fails then
 // append ro layers.
-func (a *Driver) tryMount(ro []string, rw, target string) (err error) {
+func (a *Driver) tryMount(ro []string, rw, target, mountLabel string) (err error) {
 	var (
 		rwBranch   = fmt.Sprintf("%s=rw", rw)
 		roBranches = fmt.Sprintf("%s=ro+wh:", strings.Join(ro, "=ro+wh:"))
+		data       = label.FormatMountLabel(fmt.Sprintf("br:%v:%v,xino=/dev/shm/aufs.xino", rwBranch, roBranches), mountLabel)
 	)
-	return mount("none", target, "aufs", 0, fmt.Sprintf("br:%v:%v,xino=/dev/shm/aufs.xino", rwBranch, roBranches))
+	return mount("none", target, "aufs", 0, data)
 }
 
-func (a *Driver) mountRw(rw, target string) error {
+func (a *Driver) mountRw(rw, target, mountLabel string) error {
-	return mount("none", target, "aufs", 0, fmt.Sprintf("br:%s,xino=/dev/shm/aufs.xino", rw))
+	data := label.FormatMountLabel(fmt.Sprintf("br:%s,xino=/dev/shm/aufs.xino", rw), mountLabel)
+	return mount("none", target, "aufs", 0, data)
 }
 
 func rollbackMount(target string, err error) {

daemon/graphdriver/aufs/aufs_test.go

@@ -90,7 +90,7 @@ func TestCreateNewDir(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -99,7 +99,7 @@ func TestCreateNewDirStructure(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -120,7 +120,7 @@ func TestRemoveImage(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -145,11 +145,11 @@ func TestGetWithoutParent(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
-	diffPath, err := d.Get("1")
+	diffPath, err := d.Get("1", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -172,7 +172,7 @@ func TestCleanupWithDir(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -185,7 +185,7 @@ func TestMountedFalseResponse(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -204,14 +204,14 @@ func TestMountedTrueReponse(t *testing.T) {
 	defer os.RemoveAll(tmp)
 	defer d.Cleanup()
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
-	if err := d.Create("2", "1", ""); err != nil {
+	if err := d.Create("2", "1"); err != nil {
 		t.Fatal(err)
 	}
 
-	_, err := d.Get("2")
+	_, err := d.Get("2", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -230,10 +230,10 @@ func TestMountWithParent(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
-	if err := d.Create("2", "1", ""); err != nil {
+	if err := d.Create("2", "1"); err != nil {
 		t.Fatal(err)
 	}
 
@@ -243,7 +243,7 @@ func TestMountWithParent(t *testing.T) {
 		}
 	}()
 
-	mntPath, err := d.Get("2")
+	mntPath, err := d.Get("2", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -261,10 +261,10 @@ func TestRemoveMountedDir(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
-	if err := d.Create("2", "1", ""); err != nil {
+	if err := d.Create("2", "1"); err != nil {
 		t.Fatal(err)
 	}
 
@@ -274,7 +274,7 @@ func TestRemoveMountedDir(t *testing.T) {
 		}
 	}()
 
-	mntPath, err := d.Get("2")
+	mntPath, err := d.Get("2", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -300,7 +300,7 @@ func TestCreateWithInvalidParent(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "docker", ""); err == nil {
+	if err := d.Create("1", "docker"); err == nil {
 		t.Fatalf("Error should not be nil with parent does not exist")
 	}
 }
@@ -309,11 +309,11 @@ func TestGetDiff(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
-	diffPath, err := d.Get("1")
+	diffPath, err := d.Get("1", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -343,10 +343,10 @@ func TestChanges(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
-	if err := d.Create("2", "1", ""); err != nil {
+	if err := d.Create("2", "1"); err != nil {
 		t.Fatal(err)
 	}
 
@@ -356,7 +356,7 @@ func TestChanges(t *testing.T) {
 		}
 	}()
 
-	mntPoint, err := d.Get("2")
+	mntPoint, err := d.Get("2", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -392,10 +392,10 @@ func TestChanges(t *testing.T) {
 		t.Fatalf("Change kind should be ChangeAdd got %s", change.Kind)
 	}
 
-	if err := d.Create("3", "2", ""); err != nil {
+	if err := d.Create("3", "2"); err != nil {
 		t.Fatal(err)
 	}
-	mntPoint, err = d.Get("3")
+	mntPoint, err = d.Get("3", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -437,11 +437,11 @@ func TestDiffSize(t *testing.T) {
 	d := newDriver(t)
 	defer os.RemoveAll(tmp)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
-	diffPath, err := d.Get("1")
+	diffPath, err := d.Get("1", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -479,11 +479,11 @@ func TestChildDiffSize(t *testing.T) {
 	defer os.RemoveAll(tmp)
 	defer d.Cleanup()
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
-	diffPath, err := d.Get("1")
+	diffPath, err := d.Get("1", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -515,7 +515,7 @@ func TestChildDiffSize(t *testing.T) {
 		t.Fatalf("Expected size to be %d got %d", size, diffSize)
 	}
 
-	if err := d.Create("2", "1", ""); err != nil {
+	if err := d.Create("2", "1"); err != nil {
 		t.Fatal(err)
 	}
 
@@ -534,7 +534,7 @@ func TestExists(t *testing.T) {
 	defer os.RemoveAll(tmp)
 	defer d.Cleanup()
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -552,7 +552,7 @@ func TestStatus(t *testing.T) {
 	defer os.RemoveAll(tmp)
 	defer d.Cleanup()
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -581,11 +581,11 @@ func TestApplyDiff(t *testing.T) {
 	defer os.RemoveAll(tmp)
 	defer d.Cleanup()
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
-	diffPath, err := d.Get("1")
+	diffPath, err := d.Get("1", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -607,10 +607,10 @@ func TestApplyDiff(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if err := d.Create("2", "", ""); err != nil {
+	if err := d.Create("2", ""); err != nil {
 		t.Fatal(err)
 	}
-	if err := d.Create("3", "2", ""); err != nil {
+	if err := d.Create("3", "2"); err != nil {
 		t.Fatal(err)
 	}
 
@@ -620,7 +620,7 @@ func TestApplyDiff(t *testing.T) {
 
 	// Ensure that the file is in the mount point for id 3
 
-	mountPoint, err := d.Get("3")
+	mountPoint, err := d.Get("3", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -656,11 +656,11 @@ func TestMountMoreThan42Layers(t *testing.T) {
 		}
 		current = hash(current)
 
-		if err := d.Create(current, parent, ""); err != nil {
+		if err := d.Create(current, parent); err != nil {
 			t.Logf("Current layer %d", i)
 			t.Fatal(err)
 		}
-		point, err := d.Get(current)
+		point, err := d.Get(current, "")
 		if err != nil {
 			t.Logf("Current layer %d", i)
 			t.Fatal(err)
@@ -683,7 +683,7 @@ func TestMountMoreThan42Layers(t *testing.T) {
 	}
 
 	// Perform the actual mount for the top most image
-	point, err := d.Get(last)
+	point, err := d.Get(last, "")
 	if err != nil {
 		t.Fatal(err)
 	}

daemon/graphdriver/aufs/migrate.go

@@ -77,11 +77,11 @@ func (a *Driver) migrateContainers(pth string, setupInit func(p string) error) e
 				}
 
 				initID := fmt.Sprintf("%s-init", id)
-				if err := a.Create(initID, metadata.Image, ""); err != nil {
+				if err := a.Create(initID, metadata.Image); err != nil {
 					return err
 				}
 
-				initPath, err := a.Get(initID)
+				initPath, err := a.Get(initID, "")
 				if err != nil {
 					return err
 				}
@@ -90,7 +90,7 @@ func (a *Driver) migrateContainers(pth string, setupInit func(p string) error) e
 					return err
 				}
 
-				if err := a.Create(id, initID, ""); err != nil {
+				if err := a.Create(id, initID); err != nil {
 					return err
 				}
 			}
@@ -144,7 +144,7 @@ func (a *Driver) migrateImage(m *metadata, pth string, migrated map[string]bool)
 			return err
 		}
 		if !a.Exists(m.ID) {
-			if err := a.Create(m.ID, m.ParentID, ""); err != nil {
+			if err := a.Create(m.ID, m.ParentID); err != nil {
 				return err
 			}
 		}

daemon/graphdriver/btrfs/btrfs.go

@@ -80,7 +80,7 @@ func getDirFd(dir *C.DIR) uintptr {
 	return uintptr(C.dirfd(dir))
 }
 
-func subvolCreate(path, name string, mountLabel string) error {
+func subvolCreate(path, name string) error {
 	dir, err := openDir(path)
 	if err != nil {
 		return err
@@ -155,17 +155,17 @@ func (d *Driver) subvolumesDirId(id string) string {
 	return path.Join(d.subvolumesDir(), id)
 }
 
-func (d *Driver) Create(id string, parent string, mountLabel string) error {
+func (d *Driver) Create(id string, parent string) error {
 	subvolumes := path.Join(d.home, "subvolumes")
 	if err := os.MkdirAll(subvolumes, 0700); err != nil {
 		return err
 	}
 	if parent == "" {
-		if err := subvolCreate(subvolumes, id, mountLabel); err != nil {
+		if err := subvolCreate(subvolumes, id); err != nil {
 			return err
 		}
 	} else {
-		parentDir, err := d.Get(parent)
+		parentDir, err := d.Get(parent, "")
 		if err != nil {
 			return err
 		}
@@ -187,7 +187,7 @@ func (d *Driver) Remove(id string) error {
 	return os.RemoveAll(dir)
 }
 
-func (d *Driver) Get(id string) (string, error) {
+func (d *Driver) Get(id, mountLabel string) (string, error) {
 	dir := d.subvolumesDirId(id)
 	st, err := os.Stat(dir)
 	if err != nil {

daemon/graphdriver/devmapper/deviceset.go

@@ -845,7 +845,7 @@ func (devices *DeviceSet) Shutdown() error {
 	return nil
 }
 
-func (devices *DeviceSet) MountDevice(hash, path string, mountLabel string) error {
+func (devices *DeviceSet) MountDevice(hash, path, mountLabel string) error {
 	info, err := devices.lookupDevice(hash)
 	if err != nil {
 		return err
@@ -858,6 +858,7 @@ func (devices *DeviceSet) MountDevice(hash, path string, mountLabel string) erro
 	defer devices.Unlock()
 
 	if info.mountCount > 0 {
+		fmt.Printf("---> already mounted\n")
 		if path != info.mountPath {
 			return fmt.Errorf("Trying to mount devmapper device in multple places (%s, %s)", info.mountPath, path)
 		}
@@ -873,9 +874,12 @@ func (devices *DeviceSet) MountDevice(hash, path string, mountLabel string) erro
 	var flags uintptr = sysMsMgcVal
 
 	mountOptions := label.FormatMountLabel("discard", mountLabel)
+	fmt.Printf("-----> setting mount label %s\n", mountOptions)
+
 	err = sysMount(info.DevName(), path, "ext4", flags, mountOptions)
 	if err != nil && err == sysEInval {
-		mountOptions = label.FormatMountLabel(mountLabel, "")
+		mountOptions = label.FormatMountLabel("", mountLabel)
+		fmt.Printf("-----> setting mount label after error %s\n", mountOptions)
 		err = sysMount(info.DevName(), path, "ext4", flags, mountOptions)
 	}
 	if err != nil {

daemon/graphdriver/devmapper/driver.go

@@ -60,7 +60,7 @@ func (d *Driver) Cleanup() error {
 	return d.DeviceSet.Shutdown()
 }
 
-func (d *Driver) Create(id, parent string, mountLabel string) error {
+func (d *Driver) Create(id, parent string) error {
 	if err := d.DeviceSet.AddDevice(id, parent); err != nil {
 		return err
 	}
@@ -89,7 +89,7 @@ func (d *Driver) Remove(id string) error {
 	return nil
 }
 
-func (d *Driver) Get(id string) (string, error) {
+func (d *Driver) Get(id, mountLabel string) (string, error) {
 	mp := path.Join(d.home, "mnt", id)
 
 	// Create the target directories if they don't exist

daemon/graphdriver/devmapper/driver_test.go

@@ -436,6 +436,12 @@ func TestDriverCreate(t *testing.T) {
 		return nil
 	}
 
+	sysUnmount = func(target string, flag int) error {
+		//calls["sysUnmount"] = true
+
+		return nil
+	}
+
 	Mounted = func(mnt string) (bool, error) {
 		calls["Mounted"] = true
 		if !strings.HasPrefix(mnt, "/tmp/docker-test-devmapper-") || !strings.HasSuffix(mnt, "/mnt/1") {
@@ -494,7 +500,7 @@ func TestDriverCreate(t *testing.T) {
 			"?ioctl.loopctlgetfree",
 		)
 
-		if err := d.Create("1", "", ""); err != nil {
+		if err := d.Create("1", ""); err != nil {
 			t.Fatal(err)
 		}
 		calls.Assert(t,
@@ -542,7 +548,6 @@ func TestDriverRemove(t *testing.T) {
 		return nil
 	}
 	sysUnmount = func(target string, flags int) (err error) {
-		calls["sysUnmount"] = true
 		// FIXME: compare the exact source and target strings (inodes + devname)
 		if expectedTarget := "/tmp/docker-test-devmapper-"; !strings.HasPrefix(target, expectedTarget) {
 			t.Fatalf("Wrong syscall call\nExpected: Mount(%v)\nReceived: Mount(%v)\n", expectedTarget, target)
@@ -607,7 +612,7 @@ func TestDriverRemove(t *testing.T) {
 			"?ioctl.loopctlgetfree",
 		)
 
-		if err := d.Create("1", "", ""); err != nil {
+		if err := d.Create("1", ""); err != nil {
 			t.Fatal(err)
 		}
 
@@ -657,21 +662,21 @@ func TestCleanup(t *testing.T) {
 
 	mountPoints := make([]string, 2)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 	// Mount the id
-	p, err := d.Get("1")
+	p, err := d.Get("1", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	mountPoints[0] = p
 
-	if err := d.Create("2", "1", ""); err != nil {
+	if err := d.Create("2", "1"); err != nil {
 		t.Fatal(err)
 	}
 
-	p, err = d.Get("2")
+	p, err = d.Get("2", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -720,7 +725,7 @@ func TestNotMounted(t *testing.T) {
 	d := newDriver(t)
 	defer cleanup(d)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -738,10 +743,10 @@ func TestMounted(t *testing.T) {
 	d := newDriver(t)
 	defer cleanup(d)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
-	if _, err := d.Get("1"); err != nil {
+	if _, err := d.Get("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -758,10 +763,10 @@ func TestInitCleanedDriver(t *testing.T) {
 	t.Skip("FIXME: not a unit test")
 	d := newDriver(t)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
-	if _, err := d.Get("1"); err != nil {
+	if _, err := d.Get("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -776,7 +781,7 @@ func TestInitCleanedDriver(t *testing.T) {
 	d = driver.(*Driver)
 	defer cleanup(d)
 
-	if _, err := d.Get("1"); err != nil {
+	if _, err := d.Get("1", ""); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -786,16 +791,16 @@ func TestMountMountedDriver(t *testing.T) {
 	d := newDriver(t)
 	defer cleanup(d)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
 	// Perform get on same id to ensure that it will
 	// not be mounted twice
-	if _, err := d.Get("1"); err != nil {
+	if _, err := d.Get("1", ""); err != nil {
 		t.Fatal(err)
 	}
-	if _, err := d.Get("1"); err != nil {
+	if _, err := d.Get("1", ""); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -805,7 +810,7 @@ func TestGetReturnsValidDevice(t *testing.T) {
 	d := newDriver(t)
 	defer cleanup(d)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -813,7 +818,7 @@ func TestGetReturnsValidDevice(t *testing.T) {
 		t.Fatalf("Expected id 1 to be in device set")
 	}
 
-	if _, err := d.Get("1"); err != nil {
+	if _, err := d.Get("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
@@ -833,11 +838,11 @@ func TestDriverGetSize(t *testing.T) {
 	d := newDriver(t)
 	defer cleanup(d)
 
-	if err := d.Create("1", "", ""); err != nil {
+	if err := d.Create("1", ""); err != nil {
 		t.Fatal(err)
 	}
 
-	mountPoint, err := d.Get("1")
+	mountPoint, err := d.Get("1", "")
 	if err != nil {
 		t.Fatal(err)
 	}

daemon/graphdriver/driver.go

@@ -13,10 +13,10 @@ type InitFunc func(root string) (Driver, error)
 type Driver interface {
 	String() string
 
-	Create(id, parent string, mountLabel string) error
+	Create(id, parent string) error
 	Remove(id string) error
 
-	Get(id string) (dir string, err error)
+	Get(id, mountLabel string) (dir string, err error)
 	Put(id string)
 	Exists(id string) bool
 

daemon/graphdriver/vfs/driver.go

@@ -42,7 +42,7 @@ func copyDir(src, dst string) error {
 	return nil
 }
 
-func (d *Driver) Create(id string, parent string, mountLabel string) error {
+func (d *Driver) Create(id, parent string) error {
 	dir := d.dir(id)
 	if err := os.MkdirAll(path.Dir(dir), 0700); err != nil {
 		return err
@@ -53,7 +53,7 @@ func (d *Driver) Create(id string, parent string, mountLabel string) error {
 	if parent == "" {
 		return nil
 	}
-	parentDir, err := d.Get(parent)
+	parentDir, err := d.Get(parent, "")
 	if err != nil {
 		return fmt.Errorf("%s: %s", parent, err)
 	}
@@ -74,7 +74,7 @@ func (d *Driver) Remove(id string) error {
 	return os.RemoveAll(d.dir(id))
 }
 
-func (d *Driver) Get(id string) (string, error) {
+func (d *Driver) Get(id, mountLabel string) (string, error) {
 	dir := d.dir(id)
 	if st, err := os.Stat(dir); err != nil {
 		return "", err

daemon/volumes.go

@@ -204,7 +204,7 @@ func createVolumes(container *Container) error {
 			if err != nil {
 				return err
 			}
-			srcPath, err = volumesDriver.Get(c.ID)
+			srcPath, err = volumesDriver.Get(c.ID, "")
 			if err != nil {
 				return fmt.Errorf("Driver %s failed to get volume rootfs %s: %s", volumesDriver, c.ID, err)
 			}

daemonconfig/config.go

@@ -29,6 +29,7 @@ type Config struct {
 	Mtu                         int
 	DisableNetwork              bool
 	EnableSelinuxSupport        bool
+	Context                     map[string][]string
 }
 
 // ConfigFromJob creates and returns a new DaemonConfig object
@@ -46,7 +47,7 @@ func ConfigFromJob(job *engine.Job) *Config {
 		InterContainerCommunication: job.GetenvBool("InterContainerCommunication"),
 		GraphDriver:                 job.Getenv("GraphDriver"),
 		ExecDriver:                  job.Getenv("ExecDriver"),
-		EnableSelinuxSupport:        false, // FIXME: hardcoded default to disable selinux for .10 release
+		EnableSelinuxSupport:        job.GetenvBool("SelinuxEnabled"),
 	}
 	if dns := job.GetenvList("Dns"); dns != nil {
 		config.Dns = dns

docker/docker.go

@@ -64,6 +64,7 @@ func main() {
 		flCa                 = flag.String([]string{"-tlscacert"}, dockerConfDir+defaultCaFile, "Trust only remotes providing a certificate signed by the CA given here")
 		flCert               = flag.String([]string{"-tlscert"}, dockerConfDir+defaultCertFile, "Path to TLS certificate file")
 		flKey                = flag.String([]string{"-tlskey"}, dockerConfDir+defaultKeyFile, "Path to TLS key file")
+		flSelinuxEnabled     = flag.Bool([]string{"-selinux-enabled"}, false, "Enable selinux support")
 	)
 	flag.Var(&flDns, []string{"#dns", "-dns"}, "Force docker to use specific DNS servers")
 	flag.Var(&flDnsSearch, []string{"-dns-search"}, "Force Docker to use specific DNS search domains")
@@ -148,6 +149,7 @@ func main() {
 			job.Setenv("GraphDriver", *flGraphDriver)
 			job.Setenv("ExecDriver", *flExecDriver)
 			job.SetenvInt("Mtu", *flMtu)
+			job.SetenvBool("SelinuxEnabled", *flSelinuxEnabled)
 			if err := job.Run(); err != nil {
 				log.Fatal(err)
 			}

graph/graph.go

@@ -98,7 +98,7 @@ func (graph *Graph) Get(name string) (*image.Image, error) {
 	img.SetGraph(graph)
 
 	if img.Size < 0 {
-		rootfs, err := graph.driver.Get(img.ID)
+		rootfs, err := graph.driver.Get(img.ID, "")
 		if err != nil {
 			return nil, fmt.Errorf("Driver %s failed to get image rootfs %s: %s", graph.driver, img.ID, err)
 		}
@@ -110,7 +110,7 @@ func (graph *Graph) Get(name string) (*image.Image, error) {
 				return nil, err
 			}
 		} else {
-			parentFs, err := graph.driver.Get(img.Parent)
+			parentFs, err := graph.driver.Get(img.Parent, "")
 			if err != nil {
 				return nil, err
 			}
@@ -191,11 +191,11 @@ func (graph *Graph) Register(jsonData []byte, layerData archive.ArchiveReader, i
 	}
 
 	// Create root filesystem in the driver
-	if err := graph.driver.Create(img.ID, img.Parent, ""); err != nil {
+	if err := graph.driver.Create(img.ID, img.Parent); err != nil {
 		return fmt.Errorf("Driver %s failed to create image rootfs %s: %s", graph.driver, img.ID, err)
 	}
 	// Mount the root filesystem so we can apply the diff/layer
-	rootfs, err := graph.driver.Get(img.ID)
+	rootfs, err := graph.driver.Get(img.ID, "")
 	if err != nil {
 		return fmt.Errorf("Driver %s failed to get image rootfs %s: %s", graph.driver, img.ID, err)
 	}

image/image.go

@@ -98,7 +98,7 @@ func StoreImage(img *Image, jsonData []byte, layerData archive.ArchiveReader, ro
 					return err
 				}
 			} else {
-				parent, err := driver.Get(img.Parent)
+				parent, err := driver.Get(img.Parent, "")
 				if err != nil {
 					return err
 				}
@@ -159,7 +159,7 @@ func (img *Image) TarLayer() (arch archive.Archive, err error) {
 		return differ.Diff(img.ID)
 	}
 
-	imgFs, err := driver.Get(img.ID)
+	imgFs, err := driver.Get(img.ID, "")
 	if err != nil {
 		return nil, err
 	}
@@ -182,7 +182,7 @@ func (img *Image) TarLayer() (arch archive.Archive, err error) {
 		}), nil
 	}
 
-	parentFs, err := driver.Get(img.Parent)
+	parentFs, err := driver.Get(img.Parent, "")
 	if err != nil {
 		return nil, err
 	}

integration/graph_test.go

@@ -43,7 +43,7 @@ func TestMount(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if _, err := driver.Get(image.ID); err != nil {
+	if _, err := driver.Get(image.ID, ""); err != nil {
 		t.Fatal(err)
 	}
 }

integration/runtime_test.go

@@ -874,12 +874,12 @@ func TestDestroyWithInitLayer(t *testing.T) {
 	driver := daemon.Graph().Driver()
 
 	// Make sure that the container does not exist in the driver
-	if _, err := driver.Get(container.ID); err == nil {
+	if _, err := driver.Get(container.ID, ""); err == nil {
 		t.Fatal("Conttainer should not exist in the driver")
 	}
 
 	// Make sure that the init layer is removed from the driver
-	if _, err := driver.Get(fmt.Sprintf("%s-init", container.ID)); err == nil {
+	if _, err := driver.Get(fmt.Sprintf("%s-init", container.ID), ""); err == nil {
 		t.Fatal("Container's init layer should not exist in the driver")
 	}
 }

pkg/label/label_selinux.go

@@ -32,13 +32,13 @@ func GenLabels(options string) (string, string, error) {
 	return processLabel, mountLabel, err
 }
 
-func FormatMountLabel(src string, mountLabel string) string {
+func FormatMountLabel(src, mountLabel string) string {
-	if selinux.SelinuxEnabled() && mountLabel != "" {
+	if mountLabel != "" {
 		switch src {
 		case "":
-			src = fmt.Sprintf("%s,context=%s", src, mountLabel)
+			src = fmt.Sprintf("context=%q", mountLabel)
 		default:
-			src = fmt.Sprintf("context=%s", mountLabel)
+			src = fmt.Sprintf("%s,context=%q", src, mountLabel)
 		}
 	}
 	return src

pkg/libcontainer/nsinit/init.go

@@ -75,8 +75,9 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 		}
 	}
 	runtime.LockOSThread()
+
 	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
-		return fmt.Errorf("SetProcessLabel label %s", err)
+		return fmt.Errorf("set process label %s", err)
 	}
 	ns.logger.Printf("execing %s\n", args[0])
 	return system.Execv(args[0], args[0:], container.Env)