Wipe out the container's /sys/fs/selinux to not advertise SELinux

This is the second time a Podman regression has caused a selinuxfs instance to leak into the toolbox container's /sys/fs/selinux, tricking various components into trying to use SELinux. It might be better to work this around in Toolbox until the situation in Podman is figured out. Based on an idea from Colin Walters. https://github.com/containers/libpod/issues/4452
2019-11-19 17:53:34 +01:00 · 2019-11-19 17:53:34 +01:00 · f9cca5719d
commit f9cca5719d
parent 9dc5281430
1 changed files with 4 additions and 0 deletions
--- a/4
+++ b/4
@ -1201,6 +1201,10 @@ init_container()
                return 1
            fi

+            if ! mount_bind /usr/share/empty /sys/fs/selinux; then
+                return 1
+            fi
+
            if ! mount_bind /run/host/var/lib/flatpak /var/lib/flatpak ro; then
                return 1
            fi