On 08/08/2013 07:52 PM, Daniel P. Berrange wrote:
> From: Dan Walsh <dwalsh@xxxxxxxxxx>
>
> If securityfs is available on the host, we should ensure to
> mount it read-only in the container. This will avoid systemd
> trying to mount it during startup causing SELinux AVCs.
As the result I read the codes of systemd,since this commit, systemd
doesn't mount securityfs in container.
commit c481f78be7d2620b417e453738ae1d65b576f67e
Author: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
Date: Tue Sep 18 12:05:47 2012 +0200
mount: don't mount securityfs in a container
why this patch said
"This will avoid systemd trying to mount it during startup" ?
>
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> ---
> src/lxc/lxc_container.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index b910b10..a943b22 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -770,6 +770,8 @@ static int lxcContainerMountBasicFS(void)
> { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> #if WITH_SELINUX
> { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list