From 9870b5b4e4851e1a61929f5abb2fcb63451f1218 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 1 Apr 2014 09:24:24 -0400 Subject: [PATCH 1/4] Remove hard coding of SELinux labels on systems without proper selinux policy. If a system is configured for SELinux but does not know about docker or containers, then we want the transitions of the policy to work. Hard coding the labels causes docker to break on older Fedora and RHEL systems Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) Upstream-commit: 32ad78b0430079dcc53c245826a244afa2d9b6b6 Component: engine --- components/engine/pkg/selinux/selinux.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/components/engine/pkg/selinux/selinux.go b/components/engine/pkg/selinux/selinux.go index 5236d3fb87..5362308617 100644 --- a/components/engine/pkg/selinux/selinux.go +++ b/components/engine/pkg/selinux/selinux.go @@ -312,13 +312,10 @@ func GetLxcContexts() (processLabel string, fileLabel string) { if !SelinuxEnabled() { return "", "" } - lxcPath := fmt.Sprintf("%s/content/lxc_contexts", GetSELinuxPolicyRoot()) - fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0" - processLabel = "system_u:system_r:svirt_lxc_net_t:s0" - + lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", GetSELinuxPolicyRoot()) in, err := os.Open(lxcPath) if err != nil { - goto exit + return "", "" } defer in.Close() @@ -352,6 +349,11 @@ func GetLxcContexts() (processLabel string, fileLabel string) { } } } + + if processLabel == "" || fileLabel == "" { + return "", "" + } + exit: mcs := IntToMcs(os.Getpid(), 1024) scon := NewContext(processLabel) From 4e1b33060bb8ce383d5d0d8029d1d0d71b6e1961 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 1 Apr 2014 10:03:29 -0400 Subject: [PATCH 2/4] In certain cases, setting the process label will not happen. When the code attempts to set the ProcessLabel, it checks if SELinux Is enabled. We have seen a case with some of our patches where the code is fooled by the container to think that SELinux is not enabled. Calling label.Init before setting up the rest of the container, tells the library that SELinux is enabled and everything works fine. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) Upstream-commit: d76ac4d429e474a7c79f7aab396e318f4e176025 Component: engine --- components/engine/pkg/label/label.go | 3 +++ components/engine/pkg/label/label_selinux.go | 4 ++++ components/engine/pkg/libcontainer/nsinit/init.go | 2 ++ 3 files changed, 9 insertions(+) diff --git a/components/engine/pkg/label/label.go b/components/engine/pkg/label/label.go index ba1e9f48ea..be0d0ae079 100644 --- a/components/engine/pkg/label/label.go +++ b/components/engine/pkg/label/label.go @@ -21,3 +21,6 @@ func SetFileLabel(path string, fileLabel string) error { func GetPidCon(pid int) (string, error) { return "", nil } + +func Init() { +} diff --git a/components/engine/pkg/label/label_selinux.go b/components/engine/pkg/label/label_selinux.go index 300a8b6d14..64a1720996 100644 --- a/components/engine/pkg/label/label_selinux.go +++ b/components/engine/pkg/label/label_selinux.go @@ -67,3 +67,7 @@ func SetFileLabel(path string, fileLabel string) error { func GetPidCon(pid int) (string, error) { return selinux.Getpidcon(pid) } + +func Init() { + selinux.SelinuxEnabled() +} diff --git a/components/engine/pkg/libcontainer/nsinit/init.go b/components/engine/pkg/libcontainer/nsinit/init.go index 5aa5f9f5b5..e5d69f5453 100644 --- a/components/engine/pkg/libcontainer/nsinit/init.go +++ b/components/engine/pkg/libcontainer/nsinit/init.go @@ -58,6 +58,8 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil { return fmt.Errorf("parent death signal %s", err) } + + label.Init() ns.logger.Println("setup mount namespace") if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil { return fmt.Errorf("setup mount namespace %s", err) From 7ca727547c4c03893beca969930a6482769c07b6 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Wed, 2 Apr 2014 13:56:30 -0400 Subject: [PATCH 3/4] Fix SELinux issue with missing Contexts in lxc execdriver There is a bug in the SELinux patch for the lxc execdriver, that causes lxc containers to blow up whether or not SELinux is enabled. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) Upstream-commit: ca4224762b5fe9a319b6c1724ee16d1552403269 Component: engine --- components/engine/daemonconfig/config.go | 3 +-- components/engine/runtime/execdriver/lxc/lxc_template.go | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/components/engine/daemonconfig/config.go b/components/engine/daemonconfig/config.go index 6cb3659e18..1abb6f8b89 100644 --- a/components/engine/daemonconfig/config.go +++ b/components/engine/daemonconfig/config.go @@ -1,10 +1,9 @@ package daemonconfig import ( - "net" - "github.com/dotcloud/docker/engine" "github.com/dotcloud/docker/runtime/networkdriver" + "net" ) const ( diff --git a/components/engine/runtime/execdriver/lxc/lxc_template.go b/components/engine/runtime/execdriver/lxc/lxc_template.go index f325ffcaef..83723285d0 100644 --- a/components/engine/runtime/execdriver/lxc/lxc_template.go +++ b/components/engine/runtime/execdriver/lxc/lxc_template.go @@ -32,8 +32,8 @@ lxc.pts = 1024 lxc.console = none {{if getProcessLabel .Context}} lxc.se_context = {{ getProcessLabel .Context}} -{{$MOUNTLABEL := getMountLabel .Context}} {{end}} +{{$MOUNTLABEL := getMountLabel .Context}} # no controlling tty at all lxc.tty = 1 @@ -90,8 +90,8 @@ lxc.mount.entry = sysfs {{escapeFstabSpaces $ROOTFS}}/sys sysfs nosuid,nodev,noe lxc.mount.entry = {{.Console}} {{escapeFstabSpaces $ROOTFS}}/dev/console none bind,rw 0 0 {{end}} -lxc.mount.entry = devpts {{escapeFstabSpaces $ROOTFS}}/dev/pts devpts {{formatMountLabel "newinstance,ptmxmode=0666,nosuid,noexec" "$MOUNTLABEL"}} 0 0 -lxc.mount.entry = shm {{escapeFstabSpaces $ROOTFS}}/dev/shm tmpfs {{formatMountLabel "size=65536k,nosuid,nodev,noexec" "$MOUNTLABEL"}} 0 0 +lxc.mount.entry = devpts {{escapeFstabSpaces $ROOTFS}}/dev/pts devpts {{formatMountLabel "newinstance,ptmxmode=0666,nosuid,noexec" $MOUNTLABEL}} 0 0 +lxc.mount.entry = shm {{escapeFstabSpaces $ROOTFS}}/dev/shm tmpfs {{formatMountLabel "size=65536k,nosuid,nodev,noexec" $MOUNTLABEL}} 0 0 {{range $value := .Mounts}} {{if $value.Writable}} From 7270524938779a5ed8505942e329824ea9b22147 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Wed, 2 Apr 2014 16:52:49 +0000 Subject: [PATCH 4/4] Fix lxc label handleing This also improves the logic around formatting the labels for selinux Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) Upstream-commit: 94233a204f82f857536c16f36f94d3a8ff0069dd Component: engine --- components/engine/pkg/label/label.go | 2 +- components/engine/pkg/label/label_selinux.go | 30 +++++++++---------- .../runtime/execdriver/lxc/lxc_template.go | 13 +------- 3 files changed, 17 insertions(+), 28 deletions(-) diff --git a/components/engine/pkg/label/label.go b/components/engine/pkg/label/label.go index be0d0ae079..38f026bc5a 100644 --- a/components/engine/pkg/label/label.go +++ b/components/engine/pkg/label/label.go @@ -6,7 +6,7 @@ func GenLabels(options string) (string, string, error) { return "", "", nil } -func FormatMountLabel(src string, MountLabel string) string { +func FormatMountLabel(src string, mountLabel string) string { return src } diff --git a/components/engine/pkg/label/label_selinux.go b/components/engine/pkg/label/label_selinux.go index 64a1720996..d807b2b408 100644 --- a/components/engine/pkg/label/label_selinux.go +++ b/components/engine/pkg/label/label_selinux.go @@ -10,12 +10,15 @@ import ( func GenLabels(options string) (string, string, error) { processLabel, mountLabel := selinux.GetLxcContexts() - var err error if processLabel == "" { // SELinux is disabled - return "", "", err + return "", "", nil } - s := strings.Fields(options) - l := len(s) + + var ( + err error + s = strings.Fields(options) + l = len(s) + ) if l > 0 { pcon := selinux.NewContext(processLabel) for i := 0; i < l; i++ { @@ -28,19 +31,16 @@ func GenLabels(options string) (string, string, error) { return processLabel, mountLabel, err } -func FormatMountLabel(src string, MountLabel string) string { - var mountLabel string - if src != "" { - mountLabel = src - if MountLabel != "" { - mountLabel = fmt.Sprintf("%s,context=\"%s\"", mountLabel, MountLabel) - } - } else { - if MountLabel != "" { - mountLabel = fmt.Sprintf("context=\"%s\"", MountLabel) +func FormatMountLabel(src string, mountLabel string) string { + if mountLabel != "" { + switch src { + case "": + src = fmt.Sprintf("%s,context=%s", src, mountLabel) + default: + src = fmt.Sprintf("context=%s", mountLabel) } } - return mountLabel + return src } func SetProcessLabel(processLabel string) error { diff --git a/components/engine/runtime/execdriver/lxc/lxc_template.go b/components/engine/runtime/execdriver/lxc/lxc_template.go index e3582e2369..c49753c6aa 100644 --- a/components/engine/runtime/execdriver/lxc/lxc_template.go +++ b/components/engine/runtime/execdriver/lxc/lxc_template.go @@ -32,9 +32,8 @@ lxc.pts = 1024 lxc.console = none {{if .ProcessLabel}} lxc.se_context = {{ .ProcessLabel}} -{{$MOUNTLABEL := .MountLabel}} {{end}} -{{$MOUNTLABEL := getMountLabel .Context}} +{{$MOUNTLABEL := .MountLabel}} # no controlling tty at all lxc.tty = 1 @@ -152,14 +151,6 @@ func getMemorySwap(v *execdriver.Resources) int64 { return v.Memory * 2 } -func getProcessLabel(c map[string][]string) string { - return getLabel(c, "process") -} - -func getMountLabel(c map[string][]string) string { - return getLabel(c, "mount") -} - func getLabel(c map[string][]string, name string) string { label := c["label"] for _, l := range label { @@ -175,8 +166,6 @@ func init() { var err error funcMap := template.FuncMap{ "getMemorySwap": getMemorySwap, - "getProcessLabel": getProcessLabel, - "getMountLabel": getMountLabel, "escapeFstabSpaces": escapeFstabSpaces, "formatMountLabel": label.FormatMountLabel, }