How to make a drive mount avaialble inside a container

Selinux needs to be running in your physical host, because Selinux runs in the kernel side and your container share the kernel with physical host.

Container is a normal process that run in other namespace

I've experienced the same. The reason, in my case, is that the filesystem to be bind-mounted is owned by UID:GID in the range of the host machine.

An unprivileged container, by definition, uses UIDs outside the normal range, and a user namespace to give the appearance of normality in the container.

Note that everything below the container's init belongs to numeric UID 1000000, as seen from the host machine. Within the container, PID1 is UID root, as expected.

What does that mean? If, in the host machine, you have a filesystem owned by a normal user (maybe root, maybe regular user), and then bind-mount it in the container, the UIDs (which are stored as integers) make no sense within the container.

Further, because the UIDs the container sees don't even belong to its user namespace, not even root inside the container can chown those files.

Solution: In the host machine, chown the files so that they belong to root inside the container. In my case, as pictured above, I had to:

• Mount tank/mydataset at /tank/mydataset in the host machine
• chown 1000000:1000000 /tank/mydataset
• (In the container config file) lxc.mount.entry = /tank/mydataset path/in/container/ none bind 0 0