package label

import "github.com/opencontainers/selinux/go-selinux/label"

Index ¶

• Variables
• func FormatMountLabel(src, mountLabel string) string
• func GenLabels(options string) (string, string, error)
• func Init()
• func InitLabels(options []string) (plabel string, mlabel string, retErr error)
• func IsShared(label string) bool
• func Relabel(path string, fileLabel string, shared bool) error
• func RelabelNeeded(label string) bool
• func ReleaseLabel(label string) error
• func ReserveLabel(label string) error
• func SetFileCreateLabel(fileLabel string) error
• func SetFileLabel(path string, fileLabel string) error
• func Validate(label string) error

Variables ¶

var ClearLabels = selinux.ClearLabels

ClearLabels will clear all reserved labels Deprecated: use selinux.ClearLabels

var DisableSecOpt = selinux.DisableSecOpt

DisableSecOpt returns a security opt that can disable labeling support for future container processes Deprecated: use selinux.DisableSecOpt

var DupSecOpt = selinux.DupSecOpt

DupSecOpt takes a process label and returns security options that can be used to set duplicate labels on future container processes Deprecated: use selinux.DupSecOpt

var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together")

var FileLabel = selinux.FileLabel

FileLabel returns the label for specified path Deprecated: use selinux.FileLabel

var KeyLabel = selinux.KeyLabel

KeyLabel retrieves the current default kernel keyring label setting Deprecated: use selinux.KeyLabel

var PidLabel = selinux.PidLabel

PidLabel will return the label of the process running with the specified pid Deprecated: use selinux.PidLabel

var ProcessLabel = selinux.ExecLabel

ProcessLabel returns the process label that the kernel will assign to the next program executed by the current process. If "" is returned this indicates that the default labeling will happen for the process. Deprecated: use selinux.ExecLabel

var ROMountLabel = selinux.ROFileLabel

Deprecated: use selinux.ROFileLabel

var SetKeyLabel = selinux.SetKeyLabel

SetKeyLabel takes a process label and tells the kernel to assign the label to the next kernel keyring that gets created Deprecated: use selinux.SetKeyLabel

var SetProcessLabel = selinux.SetExecLabel

SetProcessLabel takes a process label and tells the kernel to assign the label to the next program executed by the current process. Deprecated: use selinux.SetExecLabel

var SetSocketLabel = selinux.SetSocketLabel

SetSocketLabel takes a process label and tells the kernel to assign the label to the next socket that gets created Deprecated: use selinux.SetSocketLabel

var SocketLabel = selinux.SocketLabel

SocketLabel retrieves the current default socket label setting Deprecated: use selinux.SocketLabel

Functions ¶

func FormatMountLabel ¶

func FormatMountLabel(src, mountLabel string) string

FormatMountLabel returns a string to be used by the mount command. The format of this string will be used to alter the labeling of the mountpoint. The string returned is suitable to be used as the options field of the mount command. If you need to have additional mount point options, you can pass them in as the first parameter. Second parameter is the label that you wish to apply to all content in the mount point.

func GenLabels ¶

func GenLabels(options string) (string, string, error)

Deprecated: The GenLabels function is only to be used during the transition to the official API. Use InitLabels(strings.Fields(options)) instead.

func Init ¶

func Init()

Init initialises the labeling system

func InitLabels ¶

func InitLabels(options []string) (plabel string, mlabel string, retErr error)

InitLabels returns the process label and file labels to be used within the container. A list of options can be passed into this function to alter the labels. The labels returned will include a random MCS String, that is guaranteed to be unique. If the disabled flag is passed in, the process label will not be set, but the mount label will be set to the container_file label with the maximum category. This label is not usable by any confined label.

func IsShared ¶

func IsShared(label string) bool

IsShared checks that the label includes a "shared" mark

func Relabel ¶

func Relabel(path string, fileLabel string, shared bool) error

Relabel changes the label of path to the filelabel string. It changes the MCS label to s0 if shared is true. This will allow all containers to share the content.

func RelabelNeeded ¶

func RelabelNeeded(label string) bool

RelabelNeeded checks whether the user requested a relabel

func ReleaseLabel ¶

func ReleaseLabel(label string) error

ReleaseLabel will remove the reservation of the MCS label. This will allow InitLabels to use the MCS label in a newly created containers Deprecated: use selinux.ReleaseLabel

func ReserveLabel ¶

func ReserveLabel(label string) error

ReserveLabel will record the fact that the MCS label has already been used. This will prevent InitLabels from using the MCS label in a newly created container Deprecated: use selinux.ReserveLabel

func SetFileCreateLabel ¶

func SetFileCreateLabel(fileLabel string) error

SetFileCreateLabel tells the kernel the label for all files to be created

func SetFileLabel ¶

func SetFileLabel(path string, fileLabel string) error

SetFileLabel modifies the "path" label to the specified file label

func Validate ¶

func Validate(label string) error

Validate checks that the label does not include unexpected options

Source Files ¶

label.go label_linux.go