Refactor pkg/util/selinux

2026-01-06 07:57:35 +00:00 · 2016-10-25 11:51:11 -04:00
parent ea423110cc
commit 7fb99442a6
9 changed files with 56 additions and 43 deletions
--- a/pkg/util/selinux/selinux_linux.go
+++ b/pkg/util/selinux/selinux_linux.go
@@ -19,25 +19,34 @@ limitations under the License.
 package selinux

 import (
-	"fmt"
-
 	"github.com/opencontainers/runc/libcontainer/selinux"
 )

-type realSelinuxContextRunner struct{}
-
-func (_ *realSelinuxContextRunner) SetContext(dir, context string) error {
-	// If SELinux is not enabled, return an empty string
-	if !selinux.SelinuxEnabled() {
-		return nil
-	}
-
-	return selinux.Setfilecon(dir, context)
+// SELinuxEnabled returns whether SELinux is enabled on the system.  SELinux
+// has a tri-state:
+//
+// 1.  disabled: SELinux Kernel modules not loaded, SELinux policy is not
+//     checked during Kernel MAC checks
+// 2.  enforcing: Enabled; SELinux policy violations are denied and logged
+//     in the audit log
+// 3.  permissive: Enabled, but SELinux policy violations are permitted and
+//     logged in the audit log
+//
+// SELinuxEnabled returns true if SELinux is enforcing or permissive, and
+// false if it is disabled.
+func SELinuxEnabled() bool {
+	return selinux.SelinuxEnabled()
 }

-func (_ *realSelinuxContextRunner) Getfilecon(path string) (string, error) {
-	if !selinux.SelinuxEnabled() {
-		return "", fmt.Errorf("SELinux is not enabled")
+// realSELinuxRunner is the real implementation of SELinuxRunner interface for
+// Linux.
+type realSELinuxRunner struct{}
+
+var _ SELinuxRunner = &realSELinuxRunner{}
+
+func (_ *realSELinuxRunner) Getfilecon(path string) (string, error) {
+	if !SELinuxEnabled() {
+		return "", nil
 	}
 	return selinux.Getfilecon(path)
 }