From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; When setting up filesystems backed by block devices or file images, the SELinux mount options must be used to ensure the correct context is set Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt; --- src/lxc/lxc_container.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 389c336..84069c0 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -109,7 +109,8 @@ struct __lxc_child_argv { }; static int lxcContainerMountFSBlock(virDomainFSDefPtr fs, - const char *srcprefix); + const char *srcprefix, + const char *sec_mount_options); /* @@ -546,7 +547,8 @@ cleanup: static int lxcContainerPrepareRoot(virDomainDefPtr def, - virDomainFSDefPtr root) + virDomainFSDefPtr root, + const char *sec_mount_options) { char *dst; char *tmp; @@ -578,7 +580,7 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def, tmp = root->dst; root->dst = dst; - if (lxcContainerMountFSBlock(root, "") < 0) { + if (lxcContainerMountFSBlock(root, "", sec_mount_options) < 0) { root->dst = tmp; VIR_FREE(dst); return -1; @@ -1084,7 +1086,8 @@ lxcContainerMountDetectFilesystem(const char *src ATTRIBUTE_UNUSED, */ static int lxcContainerMountFSBlockAuto(virDomainFSDefPtr fs, int fsflags, - const char *src) + const char *src, + const char *sec_mount_options) { FILE *fp = NULL; int ret = -1; @@ -1161,8 +1164,9 @@ retry: STREQ(type, "*")) gotStar = true; - VIR_DEBUG("Trying mount %s with %s", src, type); - if (mount(src, fs->dst, type, fsflags, NULL) < 0) { + VIR_DEBUG("Trying mount '%s' on '%s' with '%s' opts '%s'", + src, fs->dst, type, sec_mount_options); + if (mount(src, fs->dst, type, fsflags, sec_mount_options) < 0) { /* These errnos indicate a bogus filesystem type for * the image we have, so skip to the next type */ @@ -1212,7 +1216,8 @@ cleanup: * probing for filesystem type */ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs, - const char *src) + const char *src, + const char *sec_mount_options) { int fsflags = 0; int ret = -1; @@ -1232,9 +1237,9 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs, goto cleanup; if (format) { - VIR_DEBUG("Mount '%s' on '%s' with detected format '%s'", - src, fs->dst, format); - if (mount(src, fs->dst, format, fsflags, NULL) < 0) { + VIR_DEBUG("Mount '%s' on '%s' with detected format '%s' opts '%s'", + src, fs->dst, format, sec_mount_options); + if (mount(src, fs->dst, format, fsflags, sec_mount_options) < 0) { virReportSystemError(errno, _("Failed to mount device %s to %s as %s"), src, fs->dst, format); @@ -1242,7 +1247,7 @@ static int lxcContainerMountFSBlockHelper(virDomainFSDefPtr fs, } ret = 0; } else { - ret = lxcContainerMountFSBlockAuto(fs, fsflags, src); + ret = lxcContainerMountFSBlockAuto(fs, fsflags, src, sec_mount_options); } cleanup: @@ -1252,7 +1257,8 @@ cleanup: static int lxcContainerMountFSBlock(virDomainFSDefPtr fs, - const char *srcprefix) + const char *srcprefix, + const char *sec_mount_options) { char *src = NULL; int ret = -1; @@ -1262,7 +1268,7 @@ static int lxcContainerMountFSBlock(virDomainFSDefPtr fs, goto cleanup; } - ret = lxcContainerMountFSBlockHelper(fs, src); + ret = lxcContainerMountFSBlockHelper(fs, src, sec_mount_options); VIR_DEBUG("Done mounting filesystem ret=%d", ret); @@ -1324,7 +1330,7 @@ static int lxcContainerMountFS(virDomainFSDefPtr fs, return -1; break; case VIR_DOMAIN_FS_TYPE_BLOCK: - if (lxcContainerMountFSBlock(fs, "/.oldroot") < 0) + if (lxcContainerMountFSBlock(fs, "/.oldroot", sec_mount_options) < 0) return -1; break; case VIR_DOMAIN_FS_TYPE_RAM: @@ -1801,7 +1807,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, goto cleanup; /* Ensure the root filesystem is mounted */ - if (lxcContainerPrepareRoot(vmDef, root) < 0) + if (lxcContainerPrepareRoot(vmDef, root, sec_mount_options) < 0) goto cleanup; /* Gives us a private root, leaving all parent OS mounts on /.oldroot */ -- 1.8.3.1