core/namespace: relabel bind mount source based on the target path

Some bind mounts, e.g. /tmp bind mount when PrivateTmp=disconnected,
must be explicitly relabeled because now it would have incorrect SELinux
label. /tmp is expected to have well-known SELinux label, tmp_t. Now it
has label inherited from the source directory of the bind mount.

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 07e7abe7428fde4ebee74767c727c21a5e44a03b..54dd4abd7733c992988820e1da131028eb074270 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1809,6 +1809,10 @@ static int apply_one_mount(
                         r = mkdir_p(mount_entry_source(m), m->source_dir_mode);
                         if (r < 0)
                                 return log_debug_errno(r, "Failed to create source directory %s: %m", mount_entry_source(m));
+
+                        r = label_fix_full(AT_FDCWD, mount_entry_source(m), mount_entry_unprefixed_path(m), /* flags= */ 0);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to set label of the source directory %s: %m", mount_entry_source(m));
                 }
 
                 r = chase(mount_entry_source(m), NULL, CHASE_TRAIL_SLASH, &chased, NULL);