add selinux category range to config

This allows an admin to set the upper bounds on the category range for selinux labels. This can be useful when handling allocation of PVs or other volume types that need to be shared with selinux enabled on the hosts and volumes. Signed-off-by: Michael Crosby <michael@thepasture.io>
2020-07-20 07:43:21 -04:00
parent 9b06da4773
commit 5f5d954b6a
5 changed files with 18 additions and 7 deletions
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -198,6 +198,9 @@ type PluginConfig struct {
 	StreamIdleTimeout string `toml:"stream_idle_timeout" json:"streamIdleTimeout"`
 	// EnableSelinux indicates to enable the selinux support.
 	EnableSelinux bool `toml:"enable_selinux" json:"enableSelinux"`
+	// SelinuxCategoryRange allows the upper bound on the category range to be set.
+	// If not specified or set to 0, defaults to 1024 from the selinux package.
+	SelinuxCategoryRange int `toml:"selinux_category_range" json:"selinuxCategoryRange"`
 	// SandboxImage is the image used by sandbox container.
 	SandboxImage string `toml:"sandbox_image" json:"sandboxImage"`
 	// StatsCollectPeriod is the period (in seconds) of snapshots stats collection.
--- a/pkg/config/config_unix.go
+++ b/pkg/config/config_unix.go
@@ -44,12 +44,13 @@ func DefaultConfig() PluginConfig {
 				},
 			},
 		},
-		DisableTCPService:   true,
-		StreamServerAddress: "127.0.0.1",
-		StreamServerPort:    "0",
-		StreamIdleTimeout:   streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
-		EnableSelinux:       false,
-		EnableTLSStreaming:  false,
+		DisableTCPService:    true,
+		StreamServerAddress:  "127.0.0.1",
+		StreamServerPort:     "0",
+		StreamIdleTimeout:    streaming.DefaultConfig.StreamIdleTimeout.String(), // 4 hour
+		EnableSelinux:        false,
+		SelinuxCategoryRange: 1024,
+		EnableTLSStreaming:   false,
 		X509KeyPairStreaming: X509KeyPairStreaming{
 			TLSKeyFile:  "",
 			TLSCertFile: "",
--- a/pkg/server/service_unix.go
+++ b/pkg/server/service_unix.go
@@ -44,6 +44,9 @@ func (c *criService) initPlatform() error {
 		if !selinux.GetEnabled() {
 			logrus.Warn("Selinux is not supported")
 		}
+		if r := c.config.SelinuxCategoryRange; r > 0 {
+			selinux.CategoryRange = uint32(r)
+		}
 	} else {
 		selinux.SetDisabled()
 	}