Some kernel versions (at least RHEL-6 2.6.32) do not let you over-mount an existing selinuxfs instance with a new one. Thus we must unmount the existing instance inside our namespace. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/lxc/lxc_container.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 9bc5610..f5b0bc6 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1533,6 +1533,14 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, lxcContainerUnmountSubtree("/proc", false) < 0)) goto cleanup; +#if HAVE_SELINUX + /* Some versions of Linux kernel don't let you overmount + * the selinux filesystem, so make sure we kill it first + */ + if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0) + goto cleanup; +#endif + /* Mounts the core /proc, /sys, etc filesystems */ if (lxcContainerMountBasicFS(true, sec_mount_options) < 0) goto cleanup; @@ -1615,6 +1623,14 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef, lxcContainerUnmountSubtree("/proc", false) < 0) goto cleanup; +#if HAVE_SELINUX + /* Some versions of Linux kernel don't let you overmount + * the selinux filesystem, so make sure we kill it first + */ + if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0) + goto cleanup; +#endif + /* Mounts the core /proc, /sys, etc filesystems */ if (lxcContainerMountBasicFS(false, sec_mount_options) < 0) goto cleanup; -- 1.7.1