Skip to content

Add support for Selinux mount context labels #393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vbatts merged 1 commit into from
Apr 22, 2016
Merged

Add support for Selinux mount context labels #393

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions config-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,16 @@ Its value is either slave, private, or shared.
]
```

## Mount Label

`mountLabel` will set the Selinux context for the mounts in the container.
Copy link
Contributor

@wking wking Apr 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want cross-links between this and config.md's process.selinuxLabel? I expect folks interested in one would also be interested in the other.


###### Example

```json
"mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
Copy link
Member

@vbatts vbatts Apr 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry. One more nit. Please add this line to the "complete json" example in the config.md.

Copy link
Contributor Author

@mrunalp mrunalp Apr 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Fixed.

```

[cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
[cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt
[cgroup-v1-cpusets]: https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt
Expand Down
3 changes: 2 additions & 1 deletion config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -605,7 +605,8 @@ Here is a full example `config.json` for reference.
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
],
"mountLabel": "system_u:object_r:svirt_sandbox_file_t:s0:c715,c811"
},
"annotations": {
"key1": "value1",
Expand Down
4 changes: 4 additions & 0 deletions schema/schema-linux.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,10 @@
"readonlyPaths": {
"id": "https://opencontainers.org/schema/bundle/linux/readonlyPaths",
"$ref": "defs.json#/definitions/ArrayOfStrings"
},
"mountLabel": {
"id": "https://opencontainers.org/schema/bundle/linux/mountLabel",
"type": "string"
Copy link
Member

@vbatts vbatts Apr 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool

}
}
}
Expand Down
2 changes: 2 additions & 0 deletions specs-go/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,8 @@ type Linux struct {
MaskedPaths []string `json:"maskedPaths,omitempty"`
// ReadonlyPaths sets the provided paths as RO inside the container.
ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
// MountLabel specifies the selinux context for the mounts in the container.
MountLabel string `json:"mountLabel,omitempty"`
}

// Namespace is the configuration for a Linux namespace
Expand Down