Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 872642

Summary: libvirt should mount /sys/fs/kernel/security if present on the host
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Berrangé <berrange>
Component: libvirtAssignee: Daniel Berrangé <berrange>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: ajia, cwei, dwalsh, dyuan, eblake, lsu, mzhan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-1.1.1-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:15:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This patch causes /sys/kernel/security to be mounted within the container. none

Description Daniel Berrangé 2012-11-02 16:12:55 UTC 
Description of problem:
Libvirt should mount /sys/fs/kernel/security if present on the host. This ensures that SystemD won't create AVC logs by trying to mount it itself.

Version-Release number of selected component (if applicable):
1.0.0-1.el7

How reproducible:
Always

Steps to Reproduce:
1. Start a container
2. grep security /proc/mounts
3.
  
Actual results:
/sys/fs/kernel/security is not mounted

Expected results:
/sys/fs/kernel/security is mounted


Additional info:
Comment 1 Daniel Walsh 2012-11-06 20:37:44 UTC 
Created attachment 639608 [details]
This patch causes /sys/kernel/security to be mounted within the container.
Comment 2 Eric Blake 2012-11-06 21:19:36 UTC 
Can you also post the patch upstream to libvir-list, for faster review?
Comment 3 Daniel Walsh 2012-11-07 20:52:50 UTC 
Eric I was just waiting for Dan's Comment.

Libvirt should mount /sys/fs/kernel/security if present on the host.

Not sure I did this part correctly.  IE Does he want us to only mount the file system if it is mounted on the host?  Only if securefs exists?
Comment 4 Daniel Walsh 2012-11-19 14:51:47 UTC 
Patch sent upstream
Comment 5 Alex Jia 2013-02-01 10:24:50 UTC 
(In reply to comment #4)
> Patch sent upstream

commit aa696e1846c9ddfcc25654dc4ea8762df4fd38ab
Author: Daniel J Walsh <dwalsh>
Date:   Fri Sep 28 14:11:43 2012 -0400

    build: default selinuxfs mount point to /sys/fs/selinux
    
    Currently if you build on a machine that does not support SELinux we end up
    with the default mount point being /selinux, since this is moved to
    /sys/fs/selinux, we should start defaulting there.
    
    I believe this is causing a bug in libvirt-lxc when /selinux does not exists,
    even though /sys/fs/selinux exists.
Comment 6 Alex Jia 2013-02-01 10:26:31 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > Patch sent upstream
> 
> commit aa696e1846c9ddfcc25654dc4ea8762df4fd38ab

This is a internal patch on rhel7.0 branch.
Comment 7 Daniel Berrangé 2013-02-01 10:32:09 UTC 
@alex you've got the wrong patch there I'm afraid - you've mixed /sys/fs/selinux with /sys/fs/security.
Comment 8 Alex Jia 2013-02-01 10:47:59 UTC 
(In reply to comment #7)
> @alex you've got the wrong patch there I'm afraid - you've mixed
> /sys/fs/selinux with /sys/fs/security.

Aha, right, I haven't notice this, thanks for your friendly reminder :)

In addition, I haven't found dwalsh's patch on upstream, or we haven't ack this patch?
Comment 9 Daniel Berrangé 2013-08-08 13:27:44 UTC 
Merged upstream in

commit 6807238d87fd93dee30038bea1e8582a5f0a9fe7
Author: Dan Walsh <dwalsh>
Date:   Thu Aug 8 12:51:01 2013 +0100

    Ensure securityfs is mounted readonly in container
Comment 12 Luwen Su 2013-12-23 05:43:33 UTC 
Verified with libvirt-1.1.1-16.el7.x86_64

Setup a container and start it 
#virt-sandbox-service create -u httpd.service  myapache
#virsh -c lxc:/// start myapache

Enter it and check the mount status
#virt-sandbox-service connect myapache
sh4.2#cat /proc/mount | grep kernel
securityfs /sys/kernel/security securityfs ro,relatime 0 0

The securityfs has mounted as read only
Comment 13 Ludek Smid 2014-06-13 13:15:53 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.