Documentation

Overview

Package selinux contains wrapper functions for the libcontainer SELinux package. A NOP implementation is provided for non-linux platforms.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func SELinuxEnabled

func SELinuxEnabled() bool

SELinuxEnabled returns whether SELinux is enabled on the system. SELinux has a tri-state:

1. disabled: SELinux Kernel modules not loaded, SELinux policy is not

checked during Kernel MAC checks

2. enforcing: Enabled; SELinux policy violations are denied and logged

in the audit log

3. permissive: Enabled, but SELinux policy violations are permitted and

logged in the audit log

SELinuxEnabled returns true if SELinux is enforcing or permissive, and false if it is disabled.

func SetFileLabel

func SetFileLabel(path string, label string) error

SetFileLabel applies the SELinux label on the path or returns an error.

Types

type SELinuxRunner

type SELinuxRunner interface {
	// Getfilecon returns the SELinux context for the given path or returns an
	// error.
	Getfilecon(path string) (string, error)
}

Note: the libcontainer SELinux package is only built for Linux, so it is necessary to have a NOP wrapper which is built for non-Linux platforms to allow code that links to this package not to differentiate its own methods for Linux and non-Linux platforms.

SELinuxRunner wraps certain libcontainer SELinux calls. For more information, see:

https://github.com/opencontainers/runc/blob/master/libcontainer/selinux/selinux.go

func NewSELinuxRunner

func NewSELinuxRunner() SELinuxRunner

NewSELinuxRunner returns a new SELinuxRunner appropriate for the platform. On Linux, all methods short-circuit and return NOP values if SELinux is disabled. On non-Linux platforms, a NOP implementation is returned.