Merge pull request #6372 from fidencio/wip/seutil-fix-container_kvm_t-type-detection

seutil: Fix setting the "container_kvm_t" label
2021-12-15 10:35:04 -08:00 · 2021-12-15 10:35:04 -08:00 · 2c9d80aba5
commit 2c9d80aba5
parent 3c3486f91b f1c7993311
2 changed files with 1 additions and 38 deletions
--- a/pkg/cri/server/helpers_linux.go
+++ b/pkg/cri/server/helpers_linux.go
@ -269,17 +269,10 @@ func modifyProcessLabel(runtimeType string, spec *specs.Spec) error {
 	if !isVMBasedRuntime(runtimeType) {
 		return nil
 	}
-	l, err := getKVMLabel(spec.Process.SelinuxLabel)
+	l, err := seutil.ChangeToKVM(spec.Process.SelinuxLabel)
 	if err != nil {
 		return errors.Wrap(err, "failed to get selinux kvm label")
 	}
 	spec.Process.SelinuxLabel = l
 	return nil
 }
 func getKVMLabel(l string) (string, error) {
 	if !seutil.HasType("container_kvm_t") {
 		return "", nil
 	}
 	return seutil.ChangeToKVM(l)
 }
--- a/pkg/seutil/seutil.go
+++ b/pkg/seutil/seutil.go
@ -17,39 +17,9 @@
 package seutil
 import (
 	"bufio"
 	"os"
 	"github.com/opencontainers/selinux/go-selinux"
 )
 var seTypes map[string]struct{}
 const typePath = "/etc/selinux/targeted/contexts/customizable_types"
 func init() {
 	seTypes = make(map[string]struct{})
 	if !selinux.GetEnabled() {
 		return
 	}
 	f, err := os.Open(typePath)
 	if err != nil {
 		return
 	}
 	defer f.Close()
 	s := bufio.NewScanner(f)
 	for s.Scan() {
 		seTypes[s.Text()] = struct{}{}
 	}
 }
 // HasType returns true if the underlying system has the
 // provided selinux type enabled.
 func HasType(name string) bool {
 	_, ok := seTypes[name]
 	return ok
 }
 // ChangeToKVM process label
 func ChangeToKVM(l string) (string, error) {
 	if l == "" || !selinux.GetEnabled() {