Skip to content

Commit 2c9d80a

Browse files
dmcgowandmcgowan
authored
Merge pull request containerd#6372 from fidencio/wip/seutil-fix-container_kvm_t-type-detection
seutil: Fix setting the "container_kvm_t" label
2 parents 3c3486f + f1c7993 commit 2c9d80a

File tree

2 files changed

+1
-38
lines changed

2 files changed

+1
-38
lines changed

pkg/cri/server/helpers_linux.go

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -269,17 +269,10 @@ func modifyProcessLabel(runtimeType string, spec *specs.Spec) error {
269269
if !isVMBasedRuntime(runtimeType) {
270270
return nil
271271
}
272-
l, err := getKVMLabel(spec.Process.SelinuxLabel)
272+
l, err := seutil.ChangeToKVM(spec.Process.SelinuxLabel)
273273
if err != nil {
274274
return errors.Wrap(err, "failed to get selinux kvm label")
275275
}
276276
spec.Process.SelinuxLabel = l
277277
return nil
278278
}
279-
280-
func getKVMLabel(l string) (string, error) {
281-
if !seutil.HasType("container_kvm_t") {
282-
return "", nil
283-
}
284-
return seutil.ChangeToKVM(l)
285-
}

pkg/seutil/seutil.go

Lines changed: 0 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -17,39 +17,9 @@
1717
package seutil
1818

1919
import (
20-
"bufio"
21-
"os"
22-
2320
"github.com/opencontainers/selinux/go-selinux"
2421
)
2522

26-
var seTypes map[string]struct{}
27-
28-
const typePath = "/etc/selinux/targeted/contexts/customizable_types"
29-
30-
func init() {
31-
seTypes = make(map[string]struct{})
32-
if !selinux.GetEnabled() {
33-
return
34-
}
35-
f, err := os.Open(typePath)
36-
if err != nil {
37-
return
38-
}
39-
defer f.Close()
40-
s := bufio.NewScanner(f)
41-
for s.Scan() {
42-
seTypes[s.Text()] = struct{}{}
43-
}
44-
}
45-
46-
// HasType returns true if the underlying system has the
47-
// provided selinux type enabled.
48-
func HasType(name string) bool {
49-
_, ok := seTypes[name]
50-
return ok
51-
}
52-
5323
// ChangeToKVM process label
5424
func ChangeToKVM(l string) (string, error) {
5525
if l == "" || !selinux.GetEnabled() {

0 commit comments

Comments
 (0)