Merge pull request #789 from elezar/add-selinux-context

Modify SELinux context of MPS pipe directory
NVIDIA · Jul 10, 2024 · 6c5fa87 · 6c5fa87
2 parents d80f0e8 + 081a3ce
commit 6c5fa87
Show file tree

Hide file tree

Showing 11 changed files with 2,231 additions and 0 deletions.
diff --git a/cmd/mps-control-daemon/mps/daemon.go b/cmd/mps-control-daemon/mps/daemon.go
@@ -24,6 +24,7 @@ import (
 	"os/exec"
 	"path/filepath"
 
+	"github.com/opencontainers/selinux/go-selinux"
 	"k8s.io/klog/v2"
 
 	"github.com/NVIDIA/k8s-device-plugin/internal/rm"
@@ -97,6 +98,12 @@ func (d *Daemon) Start() error {
 		return fmt.Errorf("error creating directory %v: %w", pipeDir, err)
 	}
 
+	if selinux.EnforceMode() == selinux.Enforcing {
+		if err := selinux.Chcon(pipeDir, "container_file_t", true); err != nil {
+			return fmt.Errorf("error setting SELinux context: %w", err)
+		}
+	}
+
 	logDir := d.LogDir()
 	if err := os.MkdirAll(logDir, 0755); err != nil {
 		return fmt.Errorf("error creating directory %v: %w", logDir, err)

diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/mittwald/go-helm-client v0.12.9
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/onsi/gomega v1.33.1
+	github.com/opencontainers/selinux v1.11.0
 	github.com/prometheus/procfs v0.15.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0

diff --git a/vendor/github.com/opencontainers/selinux/LICENSE b/vendor/github.com/opencontainers/selinux/LICENSE
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/doc.go b/vendor/github.com/opencontainers/selinux/go-selinux/doc.go