From 5a494b3e5361fc1a04d8cd392ed4166be7778d22 Mon Sep 17 00:00:00 2001 From: 89luca89 Date: Mon, 10 Jan 2022 09:55:42 +0100 Subject: [PATCH] init: wipe /sys/fs/selinux in containers so that selinux is not used inside rootless context. Fix #110 --- distrobox-init | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/distrobox-init b/distrobox-init index 7154281ce1..a5eea24776 100755 --- a/distrobox-init +++ b/distrobox-init @@ -330,6 +330,20 @@ for host_socket in ${host_sockets}; do fi done +# This fix is needed as on Selinux systems, the host's selinux sysfs directory +# will be mounted inside the rootless container. +# +# This works around this and allows the rootless container to work when selinux +# policies are installed inside it. +# +# Ref. Podman issue 4452: https://github.com/containers/podman/issues/4452 +if [ -f "/sys/fs/selinux" ]; then + mkdir -p /usr/share/empty + if ! mount_bind /usr/share/empty /sys/fs/selinux rw; then + printf "Warning: Cannot bind mount %s to /run/host%s\n" "/usr/share/empty" " /sys/fs/selinux" + fi +fi + # In case of an RPM distro, we can specify that our bind_mount directories # are in fact net shares. This prevents conflicts during package installations. if [ -d "/usr/lib/rpm/macros.d/" ]; then