From 2437c7a0b44987699577f8252f4f96a560957815 Mon Sep 17 00:00:00 2001
From: lifubang <lifubang@acmcoder.com>
Date: Thu, 4 Apr 2019 16:20:49 +0800
Subject: [PATCH] fix can't use empty str as label in some old kernels

Signed-off-by: lifubang <lifubang@acmcoder.com>
---
 go-selinux/label/label.go         |  8 ++++++++
 go-selinux/label/label_selinux.go | 16 ++++++++++++++++
 go-selinux/selinux_linux.go       |  9 ++++-----
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/go-selinux/label/label.go b/go-selinux/label/label.go
index e178568..193e2c6 100644
--- a/go-selinux/label/label.go
+++ b/go-selinux/label/label.go
@@ -25,6 +25,10 @@ func SetProcessLabel(processLabel string) error {
 	return nil
 }
 
+func ClearProcessLabel() error {
+	return nil
+}
+
 func ProcessLabel() (string, error) {
 	return "", nil
 }
@@ -41,6 +45,10 @@ func SetKeyLabel(processLabel string) error {
 	return nil
 }
 
+func ClearKeyLabel() error {
+	return nil
+}
+
 func KeyLabel() (string, error) {
 	return "", nil
 }
diff --git a/go-selinux/label/label_selinux.go b/go-selinux/label/label_selinux.go
index 1eb9a6b..9ea0c9a 100644
--- a/go-selinux/label/label_selinux.go
+++ b/go-selinux/label/label_selinux.go
@@ -101,9 +101,17 @@ func FormatMountLabel(src, mountLabel string) string {
 // SetProcessLabel takes a process label and tells the kernel to assign the
 // label to the next program executed by the current process.
 func SetProcessLabel(processLabel string) error {
+	if processLabel == "" && selinux.GetEnabled() {
+		processLabel = "unconfined_u:unconfined_r:unconfined_t:s0"
+	}
 	return selinux.SetExecLabel(processLabel)
 }
 
+// ClearProcessLabel is to clear process's label
+func ClearProcessLabel() error {
+	return selinux.SetExecLabel("unconfined_u:unconfined_r:unconfined_t:s0")
+}
+
 // SetSocketLabel takes a process label and tells the kernel to assign the
 // label to the next socket that gets created
 func SetSocketLabel(processLabel string) error {
@@ -118,9 +126,17 @@ func SocketLabel() (string, error) {
 // SetKeyLabel takes a process label and tells the kernel to assign the
 // label to the next kernel keyring that gets created
 func SetKeyLabel(processLabel string) error {
+	if processLabel == "" && selinux.GetEnabled() {
+		processLabel = "unconfined_u:unconfined_r:unconfined_t:s0"
+	}
 	return selinux.SetKeyLabel(processLabel)
 }
 
+// ClearKeyLabel is to clear key label
+func ClearKeyLabel() error {
+	return selinux.SetKeyLabel("unconfined_u:unconfined_r:unconfined_t:s0")
+}
+
 // KeyLabel retrieves the current default kernel keyring label setting
 func KeyLabel() (string, error) {
 	return selinux.KeyLabel()
diff --git a/go-selinux/selinux_linux.go b/go-selinux/selinux_linux.go
index 51fa8de..287580b 100644
--- a/go-selinux/selinux_linux.go
+++ b/go-selinux/selinux_linux.go
@@ -333,11 +333,6 @@ func writeCon(fpath string, val string) error {
 	if fpath == "" {
 		return ErrEmptyPath
 	}
-	if val == "" {
-		if !GetEnabled() {
-			return nil
-		}
-	}
 
 	out, err := os.OpenFile(fpath, os.O_WRONLY, 0)
 	if err != nil {
@@ -350,6 +345,10 @@ func writeCon(fpath string, val string) error {
 	} else {
 		_, err = out.Write(nil)
 	}
+	// for some kernels, we can't write "" as label.
+	if val == "" {
+		return nil
+	}
 	return err
 }