Switch to using opencontainers/selinux for selinux bindings

Signed-off-by: Antonio Murdaca <[email protected]>

Author: runcom

container/container.go

@@ -43,7 +43,7 @@ import (
 	"github.com/docker/libnetwork/options"
 	"github.com/docker/libnetwork/types"
 	agentexec "github.com/docker/swarmkit/agent/exec"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 const configFileName = "config.v2.json"

container/container_unix.go

@@ -17,7 +17,7 @@ import (
 	"github.com/docker/docker/pkg/symlink"
 	"github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/volume"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"golang.org/x/sys/unix"
 )
 

daemon/container_operations_unix.go

@@ -19,7 +19,7 @@ import (
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/docker/runconfig"
 	"github.com/docker/libnetwork"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )
 

daemon/create.go

@@ -20,7 +20,7 @@ import (
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/docker/runconfig"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 // CreateManagedContainer creates a container that is managed by a Service
@@ -155,6 +155,13 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (
 	return container, nil
 }
 
+func toHostConfigSelinuxLabels(labels []string) []string {
+	for i, l := range labels {
+		labels[i] = "label=" + l
+	}
+	return labels
+}
+
 func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) {
 	for _, opt := range hostConfig.SecurityOpt {
 		con := strings.Split(opt, "=")
@@ -167,7 +174,7 @@ func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig)
 	pidMode := hostConfig.PidMode
 	privileged := hostConfig.Privileged
 	if ipcMode.IsHost() || pidMode.IsHost() || privileged {
-		return label.DisableSecOpt(), nil
+		return toHostConfigSelinuxLabels(label.DisableSecOpt()), nil
 	}
 
 	var ipcLabel []string
@@ -181,7 +188,7 @@ func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig)
 		}
 		ipcLabel = label.DupSecOpt(c.ProcessLabel)
 		if pidContainer == "" {
-			return ipcLabel, err
+			return toHostConfigSelinuxLabels(ipcLabel), err
 		}
 	}
 	if pidContainer != "" {
@@ -192,7 +199,7 @@ func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig)
 
 		pidLabel = label.DupSecOpt(c.ProcessLabel)
 		if ipcContainer == "" {
-			return pidLabel, err
+			return toHostConfigSelinuxLabels(pidLabel), err
 		}
 	}
 
@@ -202,7 +209,7 @@ func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig)
 				return nil, fmt.Errorf("--ipc and --pid containers SELinux labels aren't the same")
 			}
 		}
-		return pidLabel, nil
+		return toHostConfigSelinuxLabels(pidLabel), nil
 	}
 	return nil, nil
 }

daemon/create_unix.go

@@ -12,7 +12,7 @@ import (
 	mounttypes "github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/container"
 	"github.com/docker/docker/pkg/stringid"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 // createContainerPlatformSpecificSettings performs platform specific container create functionality

daemon/daemon_solaris.go

@@ -23,8 +23,8 @@ import (
 	"github.com/docker/libnetwork/netlabel"
 	"github.com/docker/libnetwork/netutils"
 	lntypes "github.com/docker/libnetwork/types"
-	"github.com/opencontainers/runc/libcontainer/label"
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )
 

daemon/daemon_unix.go

@@ -41,9 +41,9 @@ import (
 	lntypes "github.com/docker/libnetwork/types"
 	"github.com/golang/protobuf/ptypes"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/label"
 	rsystem "github.com/opencontainers/runc/libcontainer/system"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 	"github.com/vishvananda/netlink"
 )

daemon/graphdriver/aufs/aufs.go

@@ -47,8 +47,8 @@ import (
 	"github.com/docker/docker/pkg/locker"
 	mountpk "github.com/docker/docker/pkg/mount"
 
-	"github.com/opencontainers/runc/libcontainer/label"
 	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 var (

daemon/graphdriver/btrfs/btrfs.go

@@ -28,7 +28,7 @@ import (
 	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/parsers"
 	"github.com/docker/go-units"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 func init() {

daemon/graphdriver/devmapper/deviceset.go

@@ -30,7 +30,7 @@ import (
 	"github.com/docker/docker/pkg/parsers"
 	units "github.com/docker/go-units"
 
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 var (

daemon/graphdriver/overlay/overlay.go

@@ -21,7 +21,7 @@ import (
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/locker"
 	"github.com/docker/docker/pkg/mount"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 // This is a small wrapper over the NaiveDiffWriter that lets us have a custom

daemon/graphdriver/overlay2/overlay.go

@@ -33,7 +33,7 @@ import (
 	"github.com/docker/docker/pkg/parsers/kernel"
 	units "github.com/docker/go-units"
 
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 var (

daemon/graphdriver/vfs/driver.go

@@ -9,7 +9,7 @@ import (
 	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/idtools"
 
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 var (

daemon/graphdriver/zfs/zfs.go

@@ -19,7 +19,7 @@ import (
 	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/parsers"
 	zfs "github.com/mistifyio/go-zfs"
-	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/selinux/go-selinux/label"
 )
 
 type zfsOptions struct {

daemon/selinux_linux.go

@@ -2,16 +2,16 @@
 
 package daemon
 
-import "github.com/opencontainers/runc/libcontainer/selinux"
+import "github.com/opencontainers/selinux/go-selinux"
 
 func selinuxSetDisabled() {
 	selinux.SetDisabled()
 }
 
 func selinuxFreeLxcContexts(label string) {
-	selinux.FreeLxcContexts(label)
+	selinux.ReleaseLabel(label)
 }
 
 func selinuxEnabled() bool {
-	return selinux.SelinuxEnabled()
+	return selinux.GetEnabled()
 }

vendor.conf

@@ -142,3 +142,4 @@ github.com/xeipuuv/gojsonpointer e0fe6f68307607d540ed8eac07a342c33fa1b54a
 github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45
 github.com/xeipuuv/gojsonschema 93e72a773fade158921402d6a24c819b48aba29d
 gopkg.in/yaml.v2 4c78c975fe7c825c6d1466c42be594d1d6f3aba6
+github.com/opencontainers/selinux ba1aefe8057f1d0cfb8e88d0ec1dc85925ef987d