nspawn: mkdir selinux mount point once, but not twice

Since #15533 we didn't create the mount point for selinuxfs anymore.

Before it we created it twice because we mount selinuxfs twice: once the
superblock, and once we remount its bind mound read-only. The second
mkdir would mean we'd chown() the host version of selinuxfs (since
there's only one selinuxfs superblock kernel-wide).

The right time to create mount point point is once: before we mount the
selinuxfs. But not a second time for the remount.

Fixes: #16032

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index eb80c2960bd34da907834d52d9f465d6905a050a..2fbaf656925a3ecb639c2f124bc8f7c365177dfe 100644 (file)
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -619,9 +619,9 @@ int mount_all(const char *dest,
 
 #if HAVE_SELINUX
                 { "/sys/fs/selinux", "/sys/fs/selinux", NULL,    NULL,                             MS_BIND,
-                  0 },  /* Bind mount first */
+                  MOUNT_MKDIR },  /* Bind mount first (mkdir/chown the mount point in case /sys/ is mounted as minimal skeleton tmpfs) */
                 { NULL,              "/sys/fs/selinux", NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
-                  0 },  /* Then, make it r/o */
+                  0 },            /* Then, make it r/o (don't mkdir/chown the mount point here, the previous entry already did that) */
 #endif
         };