Right now we mount selinuxfs even user namespace is enabled and
ignore the error. But we shouldn't ignore these errors when user
namespace is not enabled.
This patch skips mounting selinuxfs when user namespace enabled.
Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
src/lxc/lxc_container.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 661ac52..84b1b57 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -797,7 +797,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
#if WITH_SELINUX
if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
- !is_selinux_enabled())
+ (!is_selinux_enabled() || userns_enabled))
continue;
#endif
@@ -814,12 +814,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts);
if (mount(srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts) < 0) {
-#if WITH_SELINUX
- if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
- (errno == EINVAL || errno == EPERM))
- continue;
-#endif
-
virReportSystemError(errno,
_("Failed to mount %s on %s type %s flags=%x opts=%s"),
srcpath, mnts[i].dst, NULLSTR(mnts[i].type),
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list