[lxc-devel] [PATCH] Support MS_SHARED /

[Serge Hallyn]

Quoting Dwight Engen (dwight.engen at oracle.com):
> On Mon, 07 Jan 2013 13:26:44 -0500
> "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
> 
> > On Tue, 2013-01-08 at 01:32 +0800, Alexander Vladimirov wrote:
> > > 2013/1/8 Serge Hallyn <serge.hallyn at canonical.com>:
> > > > Quoting Alexander Vladimirov
> > > > (alexander.idkfa.vladimirov at gmail.com):
> > > >> Just like on the host:
> > > >> [idkfa at s10 ~]$ ls -la /dev/{null,tty,urandom,zero,full}
> > > >> crw-rw-rw- 1 root root 1, 7 янв  6 13:30 /dev/full
> > > >> crw-rw-rw- 1 root root 1, 3 янв  6 13:30 /dev/null
> > > >> crw-rw-rw- 1 root tty  5, 0 янв  8 00:03 /dev/tty
> > > >> crw-rw-rw- 1 root root 1, 9 янв  6 13:30 /dev/urandom
> > > >> crw-rw-rw- 1 root root 1, 5 янв  6 13:30 /dev/zero
> > > >>
> > > >> For example
> > > >
> > > > You say "for example", implying there is another.  I don't see it
> > > > though. What else is different?
> > 
> > > I'm sure I have encountered error messages about /dev/null
> > > permissions at some point, but I can't reproduce it atm
> 
> I noticed permission problems with /dev/null here on my F17 test box as
> well (dhcp-client-script in the container couldn't >/dev/null), it was
> the SELinux labels, on the host they are:
> 
> drwxr-xr-x. root root system_u:object_r:device_t:s0    /dev
> crw-rw-rw-. root root system_u:object_r:null_device_t:s0 /dev/null
> 
> my container has:
> 
> drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /dev
> crw-rw-rw-. root root unconfined_u:object_r:default_t:s0 /dev/null
> 
> Don't know if this is the cause of what your seeing though.

Would any of you be able to fill in the selinux LSM code in lxc?  I
realistically would not get to that until after user namespace stuff
is upstream and cleaned up.

And this, of course, points to one more thing that'll need to be added -
a container fs relabel before starting the container.

For now, you could do this using either a mount or start hook.

-serge