Ensure existing selinux mount is removed before mounting new one in LXC

Some kernel versions (at least RHEL-6 2.6.32) do not let you over-mount
an existing selinuxfs instance with a new one. Thus we must unmount the
existing instance inside our namespace.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

1 files changed, 16 insertions, 0 deletions

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b30895ead..8e5e46617 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1523,6 +1523,14 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
     if (lxcContainerPivotRoot(root) < 0)
         goto cleanup;
 
+#if HAVE_SELINUX
+    /* Some versions of Linux kernel don't let you overmount
+     * the selinux filesystem, so make sure we kill it first
+     */
+    if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
+        goto cleanup;
+#endif
+
     /* If we have the root source being '/', then we need to
      * get rid of any existing stuff under /proc, /sys & /tmp.
      * We need new namespace aware versions of those. We must
@@ -1608,6 +1616,14 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
     if (lxcContainerIdentifyCGroups(&mounts, &nmounts, &cgroupRoot) < 0)
         return -1;
 
+#if HAVE_SELINUX
+    /* Some versions of Linux kernel don't let you overmount
+     * the selinux filesystem, so make sure we kill it first
+     */
+    if (lxcContainerUnmountSubtree(SELINUX_MOUNT, false) < 0)
+        goto cleanup;
+#endif
+
     /* Gets rid of any existing stuff under /proc, since we need new
      * namespace aware versions of those. We must do /proc second
      * otherwise we won't find /proc/mounts :-) */