Enable SELinux for Docker

We ship appropriate SELinux policy for Docker, but the daemon isn't using it. Make sure Docker is built with SELinux support and turn it on at daemon startup time.
2025-08-23 07:21:14 +02:00 · 2015-11-11 14:52:41 -08:00 · 2015-11-11 14:52:41 -08:00 · 1911ea81e7
commit 1911ea81e7
parent cff534fd0e
3 changed files with 6 additions and 2 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.8.3-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-1.8.3-r1.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@ -24,7 +24,7 @@ inherit bash-completion-r1 linux-info multilib systemd udev user cros-workon

 LICENSE="Apache-2.0"
 SLOT="0"
-IUSE="aufs +btrfs contrib +device-mapper doc experimental lxc +overlay vim-syntax zsh-completion"
+IUSE="aufs +btrfs contrib +device-mapper doc experimental lxc +overlay +selinux vim-syntax zsh-completion"

 # https://github.com/docker/docker/blob/master/hack/PACKAGERS.md#build-dependencies
 CDEPEND="
@ -188,6 +188,10 @@ src_compile() {
 		fi
 	done

+	if use selinux; then
+		DOCKER_BUILDTAGS+=" selinux"
+	fi
+
 	# https://github.com/docker/docker/pull/13338
 	if use experimental; then
 		export DOCKER_EXPERIMENTAL=1
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/docker.service
@ -9,7 +9,7 @@ EnvironmentFile=-/run/flannel_docker_opts.env
 MountFlags=slave
 LimitNOFILE=1048576
 LimitNPROC=1048576
-ExecStart=/usr/lib/coreos/dockerd daemon --host=fd:// $DOCKER_OPTS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+ExecStart=/usr/lib/coreos/dockerd daemon --selinux-enabled --host=fd:// $DOCKER_OPTS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ

 [Install]
 WantedBy=multi-user.target