Some kernel versions (at least RHEL-6 2.6.32) do not let you over-mount
an existing selinuxfs instance with a new one. Thus we must unmount the
existing instance inside our namespace.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/lxc/lxc_container.c | 16 ++++++++++++++++
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 9bc5610..f5b0bc6 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1533,6 +1533,14 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
lxcContainerUnmountSubtree("/proc", false) < 0))
goto cleanup;
+#if HAVE_SELINUX
+ /* Some versions of Linux kernel don't let you overmount
+ * the selinux filesystem, so make sure we kill it first
+ */
+ if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
+ goto cleanup;
+#endif
+
/* Mounts the core /proc, /sys, etc filesystems */
if (lxcContainerMountBasicFS(true, sec_mount_options) < 0)
goto cleanup;
@@ -1615,6 +1623,14 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
lxcContainerUnmountSubtree("/proc", false) < 0)
goto cleanup;
+#if HAVE_SELINUX
+ /* Some versions of Linux kernel don't let you overmount
+ * the selinux filesystem, so make sure we kill it first
+ */
+ if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
+ goto cleanup;
+#endif
+
/* Mounts the core /proc, /sys, etc filesystems */
if (lxcContainerMountBasicFS(false, sec_mount_options) < 0)
goto cleanup;
--
1.7.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list