[systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Fri Jul 8 01:41:02 PDT 2011 

On 07/07/2011 11:17 PM, Lennart Poettering wrote:
> On Thu, 07.07.11 16:52, Daniel J Walsh (dwalsh at redhat.com) wrote:
> 
>>>> This has a nasty consequence of breaking logins:
>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek from 192.168.122.1 port 51205 ssh2
>>>> Jul  7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: Connection reset by peer
>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): conversation failed
>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] 
>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable to get valid context for zbyszek
>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session opened for user zbyszek by (uid=0)
>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): Authentication failure
>>>> Jul  7 22:17:05 fedora-15 sshd[14264]: Received disconnect from 192.168.122.1: 11: disconnected by user
>>>>
>>>> In case of a login on a tty, the question about a security context
>>>> is displayed on the screen. In case of ssh login, if just fails
>>>> without any message displayed on the remote side.
>>>
>>> Newer versions of libselinux detect if /selinux is read-only and consider
>>> selinux disabled if it is.
But why is it disabled _outside_ of the container? This would mean that running
nspawn disables selinux.

>>>
>> Do I need to back port this to F15?
> 
> I see no immediate need as nspawn is still very new and this isn't a
> regression. That said I am sure Zbigniew would be thankful? Zbigniew?
Hi,
for me personally it isn't crucial -- I was just playing around with nspawn
and can reboot the machine easily. But, in general, I think that this could
annoy a lot of people who only have remote access. But I think that this is
an nspawn bug, so need to backport anything yet :)

-
Zbyszek

More information about the systemd-devel mailing list