Mount error when running systemd-nspawn with --private-network

[Nikolaus@xxxxxxxx (Nikolaus Rath)]

On Jun 25 2018, Lennart Poettering <mzerqung at 0pointer.de> wrote:
> On Sa, 23.06.18 14:42, Nikolaus Rath (Nikolaus at rath.org) wrote:
>
>> Hello,
>> 
>> When running systemd-nspawn with --private-network, I am getting mount
>> errors:
>> 
>> # systemd-nspawn -M iofabric --as-pid2 --private-users=1379532800:65536 --register=no --private-network
>> Spawning container iofabric on /var/lib/machines/iofabric.raw.
>> Press ^] three times within 1s to kill container.
>> Selected user namespace base 1379532800 and range 65536.
>> Failed to mount n/a on /tmp/nspawn-root-2Ar2iL/sys/fs/selinux (MS_BIND ""): No such file or directory
>> Failed to mount n/a on /tmp/nspawn-root-2Ar2iL/sys/fs/selinux
>> (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""):
>> Invalid argument
>> 
>> This is on a (host) system with SELinux disabled.
>> 
>> What do these errors mean?
>
> Hmm, this suggests nspawn tries to mount selinuxfs into the container
> even though the kernel doesn't actually support that. This is weird...
>
> What#s the systemd version in use here?

$ systemd --version
systemd 232
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

>
> Which distro is this?

Debian stable (stretch) on host, and CentOS 7 in the container.

> Is selinux compiled out of the kernel or just
> disabled during runtime?

How do I find out for sure? All I can say is:

$ grep SELINUX /boot/config-4.18.0-rc1 
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
# CONFIG_DEFAULT_SECURITY_SELINUX is not set


Best,
-Nikolaus

-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«