From 6807238d87fd93dee30038bea1e8582a5f0a9fe7 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 8 Aug 2013 12:51:01 +0100 Subject: [PATCH] Ensure securityfs is mounted readonly in container If securityfs is available on the host, we should ensure to mount it read-only in the container. This will avoid systemd trying to mount it during startup causing SELinux AVCs. Signed-off-by: Daniel P. Berrange --- src/lxc/lxc_container.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b910b1039b..a943b22927 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void) { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, #if WITH_SELINUX { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, -- GitLab