When setting up a chroot the selinux community will sometimes use the following set of steps.
mount --bind /selinux /var/chroot/selinux
mount -o remount,ro /var/chroot/selinux
Under F14 util-linux-ng-2.18-4.8.fc14.x86_64 the remount command results in:
mount("/selinux", "/var/chroot/selinux", 0x7ff5f154ea69, MS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
Which clearly includes MS_BIND
Under F15 util-linux-2.19.1-1.4.fc15.x86_64 the remount command results in:
mount("selinuxfs", "/var/chroot/selinux", 0x7ffc9dd917b0, MS_REMOUNT|MS_RELATIME, NULL) = 0
Which does NOT include the MS_BIND option.
This means that in F14 we got /selinux RW and /var/chroot/selinux RO but in F15 BOTH /selinux and /var/chroot/selinux are RO.
I can work around this by using the command:
mount -o remount,ro,bind /var/chroot/selinux in F15, but mount broke code that was already working and I don't understand why.....
apparently this is a result of the switch from mtab to /proc/mounts so mount doesn't know it is a bind.... dooh
Yes, this is known issue which is documented in the mount man page.
Maybe we need something like
mount --ro-bind /mountpoint
to provide more user-friendly command line interface for the crazy MS_RDONLY|MS_REMOUNT|MS_BIND semantic.
Note that I have added this to the upstream TODO file. We need this for all propagation flags (MS_SHARE, MS_PRIVATE, ...).