[systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

[Lennart Poettering]

On Fri, 08.07.11 10:41, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:

> 
> On 07/07/2011 11:17 PM, Lennart Poettering wrote:
> > On Thu, 07.07.11 16:52, Daniel J Walsh (dwalsh at redhat.com) wrote:
> > 
> >>>> This has a nasty consequence of breaking logins:
> >>>> Jul  7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek from 192.168.122.1 port 51205 ssh2
> >>>> Jul  7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: Connection reset by peer
> >>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): conversation failed
> >>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] 
> >>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable to get valid context for zbyszek
> >>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session opened for user zbyszek by (uid=0)
> >>>> Jul  7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): Authentication failure
> >>>> Jul  7 22:17:05 fedora-15 sshd[14264]: Received disconnect from 192.168.122.1: 11: disconnected by user
> >>>>
> >>>> In case of a login on a tty, the question about a security context
> >>>> is displayed on the screen. In case of ssh login, if just fails
> >>>> without any message displayed on the remote side.
> >>>
> >>> Newer versions of libselinux detect if /selinux is read-only and consider
> >>> selinux disabled if it is.
> But why is it disabled _outside_ of the container? This would mean that running
> nspawn disables selinux.

Hmm?

No, it's read-only only inside the container. We do that to make sure
the container cannot modify the selinux policy, since policies cannot be
virtualized really.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.