From f682ad844ee46efb9a1652a3e9b52029f5f6136d Mon Sep 17 00:00:00 2001 From: Aditya R Date: Fri, 1 Apr 2022 11:29:54 +0530 Subject: [PATCH 1/2] selinux: don't use lsetxattr on /proc/self/fd/%d lsetxattr always fails with ENOTSUP when it tries to relabel /proc/self/fd/%d but in this case we are acutally intrested on the actual file pointed by the `/proc/self/fd/%d` not in the `symlink` so use `Chcon` instead of `Relabel` since `Relabel` was configured here https://github.com/opencontainers/selinux/pull/173 to use `lsetxattr` instead of `setxattr`. [NO NEW TESTS NEEDED] Signed-off-by: Aditya R --- selinux.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/selinux.go b/selinux.go index e7e9fd8c27e..67fd0c4ee2e 100644 --- a/selinux.go +++ b/selinux.go @@ -7,7 +7,6 @@ import ( "github.com/opencontainers/runtime-tools/generate" selinux "github.com/opencontainers/selinux/go-selinux" - "github.com/opencontainers/selinux/go-selinux/label" "github.com/pkg/errors" ) @@ -33,7 +32,7 @@ func runLabelStdioPipes(stdioPipe [][]int, processLabel, mountLabel string) erro } for i := range stdioPipe { pipeFdName := fmt.Sprintf("/proc/self/fd/%d", stdioPipe[i][0]) - if err := label.Relabel(pipeFdName, pipeContext, false); err != nil { + if err := selinux.Chcon(pipeFdName, pipeContext, false); err != nil { return errors.Wrapf(err, "setting file label on %q", pipeFdName) } } From 552a4c61eb21c64db781e32fce30f7ca02b2e0e0 Mon Sep 17 00:00:00 2001 From: Aditya R Date: Fri, 1 Apr 2022 11:34:54 +0530 Subject: [PATCH 2/2] vendor: bump selinux to v1.10.1 [NO NEW TESTS NEEDED] Signed-off-by: Aditya R --- go.mod | 2 +- go.sum | 3 ++- vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go | 2 +- .../opencontainers/selinux/go-selinux/rchcon_go115.go | 2 +- vendor/modules.txt | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index eefec2959c0..d32ce9a5b48 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/opencontainers/runc v1.1.1 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/runtime-tools v0.9.0 - github.com/opencontainers/selinux v1.10.0 + github.com/opencontainers/selinux v1.10.1 github.com/openshift/imagebuilder v1.2.3 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.11.1 // indirect diff --git a/go.sum b/go.sum index 060d5322b4f..f2f7122d467 100644 --- a/go.sum +++ b/go.sum @@ -877,8 +877,9 @@ github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqi github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8= github.com/opencontainers/selinux v1.8.5/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo= -github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= +github.com/opencontainers/selinux v1.10.1 h1:09LIPVRP3uuZGQvgR+SgMSNBd1Eb3vlRbGqQpoHsF8w= +github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/openshift/imagebuilder v1.2.3 h1:jvA7mESJdclRKkTe3Yl6UWlliFNVW6mLY8RI+Rrfhfo= github.com/openshift/imagebuilder v1.2.3/go.mod h1:TRYHe4CH9U6nkDjxjBNM5klrLbJBrRbpJE5SaRwUBsQ= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go index 897ecbac41c..feb739d3261 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go @@ -12,7 +12,7 @@ import ( func rchcon(fpath, label string) error { return pwalkdir.Walk(fpath, func(p string, _ fs.DirEntry, _ error) error { - e := setFileLabel(p, label) + e := lSetFileLabel(p, label) // Walk a file tree can race with removal, so ignore ENOENT. if errors.Is(e, os.ErrNotExist) { return nil diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go index 2c8b033ce05..ecc7abfac5e 100644 --- a/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go +++ b/vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go @@ -11,7 +11,7 @@ import ( func rchcon(fpath, label string) error { return pwalk.Walk(fpath, func(p string, _ os.FileInfo, _ error) error { - e := setFileLabel(p, label) + e := lSetFileLabel(p, label) // Walk a file tree can race with removal, so ignore ENOENT. if errors.Is(e, os.ErrNotExist) { return nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 8bd655b5a71..398a116bf32 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -415,7 +415,7 @@ github.com/opencontainers/runtime-tools/generate github.com/opencontainers/runtime-tools/generate/seccomp github.com/opencontainers/runtime-tools/specerror github.com/opencontainers/runtime-tools/validate -# github.com/opencontainers/selinux v1.10.0 +# github.com/opencontainers/selinux v1.10.1 github.com/opencontainers/selinux/go-selinux github.com/opencontainers/selinux/go-selinux/label github.com/opencontainers/selinux/pkg/pwalk