6:52 a.m.
From: Dan Walsh <dwalsh(a)redhat.com>
If securityfs is available on the host, we should ensure to
mount it read-only in the container. This will avoid systemd
trying to mount it during startup causing SELinux AVCs.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..a943b22 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void)
{ "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
{ "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "sysfs", "/sys", "sysfs", NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+ { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
#if WITH_SELINUX
{ SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
--
1.8.3.1
8:05 a.m.
On 08/08/2013 05:52 AM, Daniel P. Berrange wrote:
From: Dan Walsh <dwalsh(a)redhat.com>
If securityfs is available on the host, we should ensure to
mount it read-only in the container. This will avoid systemd
trying to mount it during startup causing SELinux AVCs.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 2 ++
1 file changed, 2 insertions(+)
ACK.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
8:29 p.m.
On 08/08/2013 07:52 PM, Daniel P. Berrange wrote:
From: Dan Walsh <dwalsh(a)redhat.com>
If securityfs is available on the host, we should ensure to
mount it read-only in the container. This will avoid systemd
trying to mount it during startup causing SELinux AVCs.
As the result I read the codes of systemd,since this commit, systemd
doesn't mount securityfs in container.
commit c481f78be7d2620b417e453738ae1d65b576f67e
Author: Lennart Poettering <lennart(a)poettering.net>
Date: Tue Sep 18 12:05:47 2012 +0200
mount: don't mount securityfs in a container
why this patch said
"This will avoid systemd trying to mount it during startup" ?
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/lxc/lxc_container.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..a943b22 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void)
{ "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
{ "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "sysfs", "/sys", "sysfs", NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+ { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
#if WITH_SELINUX
{ SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
4062
days inactive
4123
days old
2 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Gao feng