'init-container' fails when /var/lib/flatpak, /var/lib/systemd/coredump or /var/log/journal on the host are mounted with nodev, noexec or nosuid

[AbsolutelyLudicrous]

Describe the bug
toolbox enter fails when /var/log is a mounted btrfs volume. Of note is that unmounting, then remounting, /var/log does not prevent an already started container from being entered. Having /var/log mounted as a tmpfs seems to work just fine, however.

Steps how to reproduce the behaviour
Mount a btrfs volume on /var/log and try to start a container.

Expected behaviour
Toolboxes run just fine

Actual behaviour
toolbox enter fails with a cryptic error message about an invalid entry point PID.

Output of toolbox --version (v0.0.90+)
toolbox version 0.0.99.2

Toolbox package info (rpm -q toolbox)
toolbox-0.0.99.2^3.git075b9a8d2779-4.fc35.x86_64

Output of podman version

Version:      3.4.1
API Version:  3.4.1
Go Version:   go1.16.8
Built:        Wed Oct 20 10:31:56 2021
OS/Arch:      linux/amd64

Podman package info (rpm -q podman)
podman-3.4.1-1.fc35.x86_64

Info about your OS
Fedora Silverblue 35; recently upgraded from F34, if that matters

Additional context
I am 80% sure this worked at one point, and that the Silverblue wiki did not mention /var/log as a forbidden mount.

If you see an error message saying: Error: invalid entry point PID of container <name-of-container>, add to the ticket output of command podman start --attach <name-of-container>.

Attached below. The relevant part is:

level=debug msg="Creating directory /var/log/journal"
level=debug msg="Binding /var/log/journal to /run/host/var/log/journal"
mount: /var/log/journal: filesystem was mounted, but any subsequent operation failed: Unknown error 5005.
Error: failed to bind /var/log/journal to /run/host/var/log/journal

tb-enter-dev.txt

podman-start.txt

The relevant part of my fstab is:

/dev/sda4 /var/log btrfs subvol=@varlog,compress=zstd:1,nosuid,nodev 0 0

[debarshiray]

I think this command is failing inside the container:

# mount --rbind -o ro /run/host/var/log/journal /var/log/journal

/run/host inside the container is an outcome of:

$ podman create ... --volume /:/run/host:rslave ...

Would it be possible for you to play with your set-up and figure out a mount configuration that works? That would greatly help to move this forward.

[debarshiray]

I think this command is failing inside the container:

# mount --rbind -o ro /run/host/var/log/journal /var/log/journal

/run/host inside the container is an outcome of:

$ podman create ... --volume /:/run/host:rslave ...

While playing with this, I realized that in practice one also needs --privileged:

$ podman create ... --privileged --volume /:/run/host:rslave ...

[debarshiray]

Pull request from earlier today: #1340

Testing appreciated.

[debarshiray]

Pull request from earlier today: #1340

Testing appreciated.

Received some positive feedback downstream: https://bugzilla.redhat.com/show_bug.cgi?id=2144541