Bump github.com/opencontainers/selinux from 1.8.0 to 1.8.1

Signed-off-by: Davanum Srinivas <davanum@gmail.com>

vendor/github.com/opencontainers/selinux/go-selinux/doc.go

@@ -1,10 +1,6 @@
 /*
 Package selinux provides a high-level interface for interacting with selinux.
 
-This package uses a selinux build tag to enable the selinux functionality. This
-allows non-linux and linux users who do not have selinux support to still use
-tools that rely on this library.
-
 Usage:
 
 	import "github.com/opencontainers/selinux/go-selinux"

vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go

@@ -25,6 +25,8 @@ var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be use
 // the container.  A list of options can be passed into this function to alter
 // the labels.  The labels returned will include a random MCS String, that is
 // guaranteed to be unique.
+// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
+// to the container_file label with the maximum category. This label is not usable by any confined label.
 func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 	if !selinux.GetEnabled() {
 		return "", "", nil
@@ -47,7 +49,8 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 		}
 		for _, opt := range options {
 			if opt == "disable" {
-				return "", mountLabel, nil
+				selinux.ReleaseLabel(mountLabel)
+				return "", selinux.PrivContainerMountLabel(), nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
 				return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)

vendor/github.com/opencontainers/selinux/go-selinux/selinux.go

@@ -11,9 +11,10 @@ const (
 	Permissive = 0
 	// Disabled constant to indicate SELinux is disabled
 	Disabled = -1
-
+	// maxCategory is the maximum number of categories used within containers
+	maxCategory = 1024
 	// DefaultCategoryRange is the upper bound on the category range
-	DefaultCategoryRange = uint32(1024)
+	DefaultCategoryRange = uint32(maxCategory)
 )
 
 var (
@@ -276,3 +277,8 @@ func DisableSecOpt() []string {
 func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
 	return getDefaultContextWithLevel(user, level, scon)
 }
+
+// PrivContainerMountLabel returns mount label for privileged containers
+func PrivContainerMountLabel() string {
+	return privContainerMountLabel
+}

vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

@@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {
 	return os.Open(lxcPath)
 }
 
-var labels = loadLabels()
+var labels, privContainerMountLabel = loadLabels()
 
-func loadLabels() map[string]string {
+func loadLabels() (map[string]string, string) {
 	labels := make(map[string]string)
 	in, err := openContextFile()
 	if err != nil {
-		return labels
+		return labels, ""
 	}
 	defer in.Close()
 
@@ -920,7 +920,10 @@ func loadLabels() map[string]string {
 		}
 	}
 
-	return labels
+	con, _ := NewContext(labels["file"])
+	con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
+	reserveLabel(con.get())
+	return labels, con.get()
 }
 
 // kvmContainerLabels returns the default processLabel and mountLabel to be used

vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go

@@ -2,6 +2,8 @@
 
 package selinux
 
+const privContainerMountLabel = ""
+
 func setDisabled() {
 }