From 1acf344dfa28a4941083b699ed65da65ee3b40e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Tue, 4 Feb 2020 18:07:07 +0100 Subject: [PATCH] core: do not prepare a SELinux context for dummy files for devicenode bind-mounting Let systemd create the dummy file where a device node will be mounted on with the default label for the parent directory (e.g. /tmp/namespace-dev-yTMwAe/dev/). Fixes: #13762 --- src/core/namespace.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/core/namespace.c b/src/core/namespace.c index 7785405830..07c9ac2b51 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -629,10 +629,9 @@ static int clone_device_node( } /* We're about to fallback to bind-mounting the device - * node. So create a dummy bind-mount target. */ - mac_selinux_create_file_prepare(d, 0); + * node. So create a dummy bind-mount target. + * Do not prepare device-node SELinux label (see issue 13762) */ r = mknod(dn, S_IFREG, 0); - mac_selinux_create_file_clear(); if (r < 0 && errno != EEXIST) return log_debug_errno(errno, "mknod() fallback failed for '%s': %m", d);