selinux: don't use lsetxattr on /proc/self/fd/%d

lsetxattr always fails with ENOTSUP when it tries to relabel /proc/self/fd/%d but in this case we are acutally intrested on the actual file pointed by the `/proc/self/fd/%d` not in the `symlink` so use `Chcon` instead of `Relabel` since `Relabel` was configured here opencontainers/selinux#173 to use `lsetxattr` instead of `setxattr`. [ NO NEW TESTS NEEDED ] [ NO TEST NEEDED ] Signed-off-by: Aditya R <arajan@redhat.com>
flouthoc · Apr 1, 2022 · 5020cfe · 5020cfe
1 parent 7552de6
commit 5020cfe
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/selinux.go b/selinux.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/opencontainers/runtime-tools/generate"
 	selinux "github.com/opencontainers/selinux/go-selinux"
-	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
 )
 
@@ -33,7 +32,7 @@ func runLabelStdioPipes(stdioPipe [][]int, processLabel, mountLabel string) erro
 	}
 	for i := range stdioPipe {
 		pipeFdName := fmt.Sprintf("/proc/self/fd/%d", stdioPipe[i][0])
-		if err := label.Relabel(pipeFdName, pipeContext, false); err != nil {
+		if err := selinux.Chcon(pipeFdName, pipeContext, false); err != nil {
 			return errors.Wrapf(err, "setting file label on %q", pipeFdName)
 		}
 	}