Merge pull request #377 from nak3/selinux-docker-driver

dadgar · dadgar · commit cb811dd97ccd · 2015-11-05T10:54:48.000-08:00
Apply SELinux label to allocate directory of docker driver
diff --git a/client/driver/docker.go b/client/driver/docker.go
@@ -108,8 +108,10 @@ func (d *DockerDriver) containerBinds(alloc *allocdir.AllocDir, task *structs.Ta
 	}
 
 	return []string{
-		fmt.Sprintf("%s:%s", shared, allocdir.SharedAllocName),
-		fmt.Sprintf("%s:%s", local, allocdir.TaskLocal),
+		// "z" and "Z" option is to allocate directory with SELinux label.
+		fmt.Sprintf("%s:/%s:rw,z", shared, allocdir.SharedAllocName),
+		// capital "Z" will label with Multi-Category Security (MCS) labels
+		fmt.Sprintf("%s:/%s:rw,Z", local, allocdir.TaskLocal),
 	}, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -108,8 +108,10 @@ func (d DockerDriver) containerBinds(alloc allocdir.AllocDir, task *structs.Ta`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`return []string{`
`111`		`- fmt.Sprintf("%s:%s", shared, allocdir.SharedAllocName),`
`112`		`- fmt.Sprintf("%s:%s", local, allocdir.TaskLocal),`
	`111`	`+ // "z" and "Z" option is to allocate directory with SELinux label.`
	`112`	`+ fmt.Sprintf("%s:/%s:rw,z", shared, allocdir.SharedAllocName),`
	`113`	`+ // capital "Z" will label with Multi-Category Security (MCS) labels`
	`114`	`+ fmt.Sprintf("%s:/%s:rw,Z", local, allocdir.TaskLocal),`
`113`	`115`	`}, nil`
`114`	`116`	`}`
`115`	`117`