From 7d017ada1e8eda5e08d0527dbe1b01edae5de033 Mon Sep 17 00:00:00 2001
From: Aron Griffis <aron@arongriffis.com>
Date: Tue, 24 Mar 2015 17:42:11 -0400
Subject: [PATCH] Mount the selinux sys dir read-only [GH-301]

---
 lib/vagrant-lxc/action/boot.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/vagrant-lxc/action/boot.rb b/lib/vagrant-lxc/action/boot.rb
index 5a95635..90b783f 100644
--- a/lib/vagrant-lxc/action/boot.rb
+++ b/lib/vagrant-lxc/action/boot.rb
@@ -20,6 +20,12 @@ module Vagrant
             config.customize 'mount.entry', '/sys/fs/pstore sys/fs/pstore none bind,optional 0 0'
           end
 
+          # Make selinux read-only, see
+          # https://github.com/fgrehm/vagrant-lxc/issues/301
+          if Dir.exists?('/sys/fs/selinux')
+            config.customize 'mount.entry', '/sys/fs/selinux sys/fs/selinux none bind,ro 0 0'
+          end
+
           env[:ui].info I18n.t("vagrant_lxc.messages.starting")
           env[:machine].provider.driver.start(config.customizations)