diff --git a/components/engine/daemonconfig/config.go b/components/engine/daemonconfig/config.go index 6cb3659e18..1abb6f8b89 100644 --- a/components/engine/daemonconfig/config.go +++ b/components/engine/daemonconfig/config.go @@ -1,10 +1,9 @@ package daemonconfig import ( - "net" - "github.com/dotcloud/docker/engine" "github.com/dotcloud/docker/runtime/networkdriver" + "net" ) const ( diff --git a/components/engine/pkg/label/label.go b/components/engine/pkg/label/label.go index be0d0ae079..38f026bc5a 100644 --- a/components/engine/pkg/label/label.go +++ b/components/engine/pkg/label/label.go @@ -6,7 +6,7 @@ func GenLabels(options string) (string, string, error) { return "", "", nil } -func FormatMountLabel(src string, MountLabel string) string { +func FormatMountLabel(src string, mountLabel string) string { return src } diff --git a/components/engine/pkg/label/label_selinux.go b/components/engine/pkg/label/label_selinux.go index 64a1720996..d807b2b408 100644 --- a/components/engine/pkg/label/label_selinux.go +++ b/components/engine/pkg/label/label_selinux.go @@ -10,12 +10,15 @@ import ( func GenLabels(options string) (string, string, error) { processLabel, mountLabel := selinux.GetLxcContexts() - var err error if processLabel == "" { // SELinux is disabled - return "", "", err + return "", "", nil } - s := strings.Fields(options) - l := len(s) + + var ( + err error + s = strings.Fields(options) + l = len(s) + ) if l > 0 { pcon := selinux.NewContext(processLabel) for i := 0; i < l; i++ { @@ -28,19 +31,16 @@ func GenLabels(options string) (string, string, error) { return processLabel, mountLabel, err } -func FormatMountLabel(src string, MountLabel string) string { - var mountLabel string - if src != "" { - mountLabel = src - if MountLabel != "" { - mountLabel = fmt.Sprintf("%s,context=\"%s\"", mountLabel, MountLabel) - } - } else { - if MountLabel != "" { - mountLabel = fmt.Sprintf("context=\"%s\"", MountLabel) +func FormatMountLabel(src string, mountLabel string) string { + if mountLabel != "" { + switch src { + case "": + src = fmt.Sprintf("%s,context=%s", src, mountLabel) + default: + src = fmt.Sprintf("context=%s", mountLabel) } } - return mountLabel + return src } func SetProcessLabel(processLabel string) error { diff --git a/components/engine/pkg/selinux/selinux.go b/components/engine/pkg/selinux/selinux.go index 6453f37ea9..5362308617 100644 --- a/components/engine/pkg/selinux/selinux.go +++ b/components/engine/pkg/selinux/selinux.go @@ -312,7 +312,7 @@ func GetLxcContexts() (processLabel string, fileLabel string) { if !SelinuxEnabled() { return "", "" } - lxcPath := fmt.Sprintf("%s/content/lxc_contexts", GetSELinuxPolicyRoot()) + lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", GetSELinuxPolicyRoot()) in, err := os.Open(lxcPath) if err != nil { return "", "" diff --git a/components/engine/runtime/execdriver/lxc/lxc_template.go b/components/engine/runtime/execdriver/lxc/lxc_template.go index bad3249b31..c49753c6aa 100644 --- a/components/engine/runtime/execdriver/lxc/lxc_template.go +++ b/components/engine/runtime/execdriver/lxc/lxc_template.go @@ -32,8 +32,8 @@ lxc.pts = 1024 lxc.console = none {{if .ProcessLabel}} lxc.se_context = {{ .ProcessLabel}} -{{$MOUNTLABEL := .MountLabel}} {{end}} +{{$MOUNTLABEL := .MountLabel}} # no controlling tty at all lxc.tty = 1 @@ -94,8 +94,8 @@ lxc.mount.entry = sysfs {{escapeFstabSpaces $ROOTFS}}/sys sysfs nosuid,nodev,noe lxc.mount.entry = {{.Console}} {{escapeFstabSpaces $ROOTFS}}/dev/console none bind,rw 0 0 {{end}} -lxc.mount.entry = devpts {{escapeFstabSpaces $ROOTFS}}/dev/pts devpts {{formatMountLabel "newinstance,ptmxmode=0666,nosuid,noexec" "$MOUNTLABEL"}} 0 0 -lxc.mount.entry = shm {{escapeFstabSpaces $ROOTFS}}/dev/shm tmpfs {{formatMountLabel "size=65536k,nosuid,nodev,noexec" "$MOUNTLABEL"}} 0 0 +lxc.mount.entry = devpts {{escapeFstabSpaces $ROOTFS}}/dev/pts devpts {{formatMountLabel "newinstance,ptmxmode=0666,nosuid,noexec" $MOUNTLABEL}} 0 0 +lxc.mount.entry = shm {{escapeFstabSpaces $ROOTFS}}/dev/shm tmpfs {{formatMountLabel "size=65536k,nosuid,nodev,noexec" $MOUNTLABEL}} 0 0 {{range $value := .Mounts}} {{if $value.Writable}} @@ -151,14 +151,6 @@ func getMemorySwap(v *execdriver.Resources) int64 { return v.Memory * 2 } -func getProcessLabel(c map[string][]string) string { - return getLabel(c, "process") -} - -func getMountLabel(c map[string][]string) string { - return getLabel(c, "mount") -} - func getLabel(c map[string][]string, name string) string { label := c["label"] for _, l := range label { @@ -174,8 +166,6 @@ func init() { var err error funcMap := template.FuncMap{ "getMemorySwap": getMemorySwap, - "getProcessLabel": getProcessLabel, - "getMountLabel": getMountLabel, "escapeFstabSpaces": escapeFstabSpaces, "formatMountLabel": label.FormatMountLabel, }