Don't bind mount onto a char device for /dev/ptmx in LXC

The current setup code for LXC is bind mounting /dev/pts/ptmx
on top of a character device /dev/ptmx. This is denied by SELinux
policy and is just wrong. The target of a bind mount should just
be a plain file

* src/lxc/lxc_container.c: Don't bind /dev/pts/ptmx onto
  a char device

src/lxc/lxc_container.c

@@ -555,6 +555,18 @@ static int lxcContainerPopulateDevices(char **ttyPaths, size_t nttyPaths)
         }
     }
 
+    if (access("/dev/pts/ptmx", W_OK) == 0) {
+        /* We have private devpts capability, so bind that */
+        if (virFileTouch("/dev/ptmx", 0666) < 0)
+            return -1;
+
+        if (mount("/dev/pts/ptmx", "/dev/ptmx", "ptmx", MS_BIND, NULL) < 0) {
+            virReportSystemError(errno, "%s",
+                                 _("Failed to bind /dev/pts/ptmx on to /dev/ptmx"));
+            return -1;
+        }
+    } else {
+        /* Legacy devpts, so we need to just use shared one */
         dev_t dev = makedev(LXC_DEV_MAJ_TTY, LXC_DEV_MIN_PTMX);
         if (mknod("/dev/ptmx", S_IFCHR, dev) < 0 ||
             chmod("/dev/ptmx", 0666)) {
@@ -562,13 +574,6 @@ static int lxcContainerPopulateDevices(char **ttyPaths, size_t nttyPaths)
                                  _("Failed to make device /dev/ptmx"));
             return -1;
         }
-
-    if (access("/dev/pts/ptmx", W_OK) == 0) {
-        if (mount("/dev/pts/ptmx", "/dev/ptmx", "ptmx", MS_BIND, NULL) < 0) {
-            virReportSystemError(errno, "%s",
-                                 _("Failed to bind-mount /dev/ptmx to /dev/pts/ptmx"));
-            return -1;
-        }
     }
 
     for (i = 0 ; i < nttyPaths ; i++) {