Mount the selinux sys dir read-only [GH-301]

2015-03-24 17:42:11 -04:00 · 2015-03-24 17:42:11 -04:00 · 7d017ada1e
commit 7d017ada1e
parent c9cd671a32
1 changed files with 6 additions and 0 deletions
--- a/lib/vagrant-lxc/action/boot.rb
+++ b/lib/vagrant-lxc/action/boot.rb
@ -20,6 +20,12 @@ module Vagrant
            config.customize 'mount.entry', '/sys/fs/pstore sys/fs/pstore none bind,optional 0 0'
          end

+          # Make selinux read-only, see
+          # https://github.com/fgrehm/vagrant-lxc/issues/301
+          if Dir.exists?('/sys/fs/selinux')
+            config.customize 'mount.entry', '/sys/fs/selinux sys/fs/selinux none bind,ro 0 0'
+          end
+
          env[:ui].info I18n.t("vagrant_lxc.messages.starting")
          env[:machine].provider.driver.start(config.customizations)