Ensure existing selinux mount is removed before mounting new one in LXC

Some kernel versions (at least RHEL-6 2.6.32) do not let you over-mount an existing selinuxfs instance with a new one. Thus we must unmount the existing instance inside our namespace. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2025-01-11 15:27:47 +00:00 · 2012-09-18 12:25:56 +01:00 · 2012-09-18 12:25:56 +01:00 · c15d893252
commit c15d893252
parent ab42772a46
1 changed files with 16 additions and 0 deletions
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@ -1523,6 +1523,14 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
    if (lxcContainerPivotRoot(root) < 0)
        goto cleanup;

+#if HAVE_SELINUX
+    /* Some versions of Linux kernel don't let you overmount
+     * the selinux filesystem, so make sure we kill it first
+     */
+    if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
+        goto cleanup;
+#endif
+
    /* If we have the root source being '/', then we need to
     * get rid of any existing stuff under /proc, /sys & /tmp.
     * We need new namespace aware versions of those. We must
@ -1608,6 +1616,14 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
    if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
        return -1;

+#if HAVE_SELINUX
+    /* Some versions of Linux kernel don't let you overmount
+     * the selinux filesystem, so make sure we kill it first
+     */
+    if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
+        goto cleanup;
+#endif
+
    /* Gets rid of any existing stuff under /proc, since we need new
     * namespace aware versions of those. We must do /proc second
     * otherwise we won't find /proc/mounts :-) */