From 234149559ba189e48a1a1ab6420cc2dcfbd1971c Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian.hacman@sematext.com>
Date: Thu, 16 Jul 2020 18:54:34 +0300
Subject: [PATCH] Restore default SELinux security contexts for container
 runtime binaries

---
 nodeup/pkg/model/containerd.go | 6 ++++++
 nodeup/pkg/model/docker.go     | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/nodeup/pkg/model/containerd.go b/nodeup/pkg/model/containerd.go
index 8e8cd1d3af1be..79593a6d84845 100644
--- a/nodeup/pkg/model/containerd.go
+++ b/nodeup/pkg/model/containerd.go
@@ -265,6 +265,12 @@ func (b *ContainerdBuilder) buildSystemdService() *nodetasks.Service {
 	manifest.Set("Unit", "Documentation", "https://containerd.io")
 	manifest.Set("Unit", "After", "network.target local-fs.target")
 
+	// Restore the default SELinux security contexts for the containerd and runc binaries
+	if b.Distribution.IsRHELFamily() && b.Cluster.Spec.Docker != nil && fi.BoolValue(b.Cluster.Spec.Docker.SelinuxEnabled) {
+		manifest.Set("Service", "ExecStartPre", "/bin/sh -c 'restorecon -v /usr/bin/runc'")
+		manifest.Set("Service", "ExecStartPre", "/bin/sh -c 'restorecon -v /usr/bin/containerd*'")
+	}
+
 	manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/containerd")
 	manifest.Set("Service", "EnvironmentFile", "/etc/environment")
 	manifest.Set("Service", "ExecStartPre", "-/sbin/modprobe overlay")
diff --git a/nodeup/pkg/model/docker.go b/nodeup/pkg/model/docker.go
index 5070d94774ec2..4a53f45649289 100644
--- a/nodeup/pkg/model/docker.go
+++ b/nodeup/pkg/model/docker.go
@@ -558,6 +558,11 @@ func (b *DockerBuilder) buildSystemdService(dockerVersion semver.Version) *nodet
 	manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/docker")
 	manifest.Set("Service", "EnvironmentFile", "/etc/environment")
 
+	// Restore the default SELinux security contexts for the Docker binaries
+	if b.Distribution.IsRHELFamily() && b.Cluster.Spec.Docker != nil && fi.BoolValue(b.Cluster.Spec.Docker.SelinuxEnabled) {
+		manifest.Set("Service", "ExecStartPre", "/bin/sh -c 'restorecon -v /usr/bin/docker*'")
+	}
+
 	// the default is not to use systemd for cgroups because the delegate issues still
 	// exists and systemd currently does not support the cgroup feature set required
 	// for containers run by docker