systemd-nspawn fails to mount /sys/fs/selinux in the container after dcff2fa

[amessina]

systemd version the issue has been seen with

systemd 245 (v245.6-1.fc32)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified

Used distribution

Fedora 32 x86_64

Unexpected behaviour you saw

systemd-nspawn[312147]: Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora/sys/fs/selinux (MS_BIND "")...
systemd-nspawn[312147]: Failed to mount /sys/fs/selinux (type n/a) on /var/lib/machines/fedora/sys/fs/selinux (MS_BIND ""): No such file or directory
systemd-nspawn[312147]: Remounting /var/lib/machines/fedora/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND "")...
systemd-nspawn[312147]: Failed to mount n/a (type n/a) on /var/lib/machines/fedora/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND ""): No such file or directory

Steps to reproduce the problem
After upgrading to systemd-245.6-1.fc32.x86_64 which includes the fix for #15475: dcff2fa, the /sys/fs/selinux directory is no longer created in the container and the above errors are logged.

While unrelated, the container still shows SELinux as being disabled -- so if containers aren't able to support SELinux inside, why bind mount this directory at all (just a question--I really don't know)?

Inside the container...

~]# getenforce
Disabled

~]# ll -a /sys/fs
total 0
drwxr-xr-x. 3 root root  60 Jun  1 10:28 .
dr-xr-xr-x. 9 root root 180 Jun  1 10:28 ..
drwxr-xr-x. 5 root root   0 Jun  1 10:28 cgroup

[poettering]

While unrelated, the container still shows SELinux as being disabled -- so if containers aren't able to support SELinux inside, why bind mount this directory at all (just a question--I really don't know)?

We mount it into the contain in read-only fashion. That tells the payload that while selinux is available it shouldn't make use of it. i.e. the libselinux libraries explicitly check for the R/O status of selinuxfs, and understand that read-only means "existant, but not managed by us".

Hiding selinuxfs in the container entirely doesn't really work, as the fact that selinux is there is leaked all over the place in /proc. Moreover PID 1 generally assumes that what isn't mounted already it needs to mount itself, and we like if we can keep the same codepaths in place when systemd runs in a container and on bare metal. Hence instead of not mounting selinuxfs (so that PID 1 would then try to mount it) we do pre-mount it but mark it read-only, so that we explicitly communicate that the container payload should not mount it, but also not manage it.

[keszybz]

Hmm, I don't see this with the lastest git (and neither systemd-245.5-2.fc33.x86_64). What command are you running exactly? In what mode is selinux on the host?

[poettering]

Fix waiting in #16194