From 1911ea81e73475a94f0c3bc8101c71db5e171ab1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 11 Nov 2015 14:52:41 -0800 Subject: [PATCH] Enable SELinux for Docker We ship appropriate SELinux policy for Docker, but the daemon isn't using it. Make sure Docker is built with SELinux support and turn it on at daemon startup time. --- .../docker/{docker-1.8.3.ebuild => docker-1.8.3-r1.ebuild} | 0 .../coreos-overlay/app-emulation/docker/docker-9999.ebuild | 6 +++++- .../app-emulation/docker/files/docker.service | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-1.8.3.ebuild => docker-1.8.3-r1.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.8.3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.8.3-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.8.3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.8.3-r1.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild index 91167603e4..5843b59529 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild @@ -24,7 +24,7 @@ inherit bash-completion-r1 linux-info multilib systemd udev user cros-workon LICENSE="Apache-2.0" SLOT="0" -IUSE="aufs +btrfs contrib +device-mapper doc experimental lxc +overlay vim-syntax zsh-completion" +IUSE="aufs +btrfs contrib +device-mapper doc experimental lxc +overlay +selinux vim-syntax zsh-completion" # https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#build-dependencies CDEPEND=" @@ -188,6 +188,10 @@ src_compile() { fi done + if use selinux; then + DOCKER_BUILDTAGS+=" selinux" + fi + # https://github.com/docker/docker/pull/13338 if use experimental; then export DOCKER_EXPERIMENTAL=1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service index befd882b25..341f876c1a 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service @@ -9,7 +9,7 @@ EnvironmentFile=-/run/flannel_docker_opts.env MountFlags=slave LimitNOFILE=1048576 LimitNPROC=1048576 -ExecStart=/usr/lib/coreos/dockerd daemon --host=fd:// $DOCKER_OPTS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ +ExecStart=/usr/lib/coreos/dockerd daemon --selinux-enabled --host=fd:// $DOCKER_OPTS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ [Install] WantedBy=multi-user.target