diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc10.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc10.ebuild index eb4a76f94b..162664f92f 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc10.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc10.ebuild @@ -43,7 +43,6 @@ src_unpack() { PATCHES=( "${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch" - "${FILESDIR}/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch" ) src_compile() { diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch deleted file mode 100644 index f803766074..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7264883458e7bdcd23152495ac141a24d17b8db9 Mon Sep 17 00:00:00 2001 -Message-Id: <7264883458e7bdcd23152495ac141a24d17b8db9.1564136934.git.dongsu@kinvolk.io> -From: Dongsu Park -Date: Fri, 26 Jul 2019 12:19:37 +0200 -Subject: [PATCH] temporarily disable selinux.GetEnabled() error checks - ---- - libcontainer/configs/validate/validator.go | 4 ---- - utils_linux.go | 4 ---- - 2 files changed, 8 deletions(-) - -diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go -index 3b42f301..bace067d 100644 ---- a/libcontainer/configs/validate/validator.go -+++ b/libcontainer/configs/validate/validator.go -@@ -8,7 +8,6 @@ import ( - - "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/runc/libcontainer/intelrdt" -- selinux "github.com/opencontainers/selinux/go-selinux" - ) - - type Validator interface { -@@ -99,9 +98,6 @@ func (v *ConfigValidator) security(config *configs.Config) error { - !config.Namespaces.Contains(configs.NEWNS) { - return fmt.Errorf("unable to restrict sys entries without a private MNT namespace") - } -- if config.ProcessLabel != "" && !selinux.GetEnabled() { -- return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported") -- } - - return nil - } -diff --git a/utils_linux.go b/utils_linux.go -index b05e7b60..ce50db14 100644 ---- a/utils_linux.go -+++ b/utils_linux.go -@@ -17,7 +17,6 @@ import ( - "github.com/opencontainers/runc/libcontainer/specconv" - "github.com/opencontainers/runc/libcontainer/utils" - "github.com/opencontainers/runtime-spec/specs-go" -- selinux "github.com/opencontainers/selinux/go-selinux" - - "github.com/coreos/go-systemd/activation" - "github.com/pkg/errors" -@@ -388,9 +387,6 @@ func validateProcessSpec(spec *specs.Process) error { - if len(spec.Args) == 0 { - return fmt.Errorf("args must not be empty") - } -- if spec.SelinuxLabel != "" && !selinux.GetEnabled() { -- return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported") -- } - return nil - } - --- -2.21.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use index 6703f07327..6031484ee9 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use @@ -7,6 +7,7 @@ sys-apps/systemd selinux sys-apps/coreutils selinux # Enable SELinux for runc +app-emulation/docker-runc selinux app-emulation/runc selinux # Enable SELinux for tar diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use index 1730b342ee..ba2bf5f4a3 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.use @@ -1,5 +1,9 @@ # arm64 use +# Enable SELinux for runc +app-emulation/docker-runc selinux +app-emulation/runc selinux + # FIXME: why isn't this set by default??? sys-libs/ncurses unicode