Free SELinux labels when the labels are not being used

[rhatdan]

Currently when lots of containers are created as disabled, each container will leak and MCS Label. Eventually the system will run out of labels and go into an infinate loop looking for labels.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[TomSweeneyRedHat]

I thought we had to change the file in projectatomic/runc? https://github.com/projectatomic/runc/blob/master/libcontainer/label/label_selinux.go

[rhatdan]

We are changing it in the vendored version of docker, basically of the same code. runc does not allocate the selinux label, docker does, using the vendored runc code.

[rhatdan]

Probably do not need to.