[systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

Lennart Poettering lennart at poettering.net
Thu Jul 7 13:45:18 PDT 2011


On Thu, 07.07.11 22:42, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:

> Hi,
> on freshly installed fedora-15 system, I've been trying out the nspawn, and
> running "systemd-nspawn -D debian-tree/" (i.e. just the shell) seems
> to cause /selinux to be remount ro on the _host_:
> 
> $ rpm -q systemd
> systemd-26-5.fc15.x86_64
> $ mount|grep selinux
> selinuxfs on /selinux type selinuxfs (rw,relatime)
> $ sudo systemd-nspawn -D debian-tree/ /bin/true
> $ mount|grep selinux
> selinuxfs on /selinux type selinuxfs (ro,relatime)
> 
> This has a nasty consequence of breaking logins:
> Jul  7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek from 192.168.122.1 port 51205 ssh2
> Jul  7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: Connection reset by peer
> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): conversation failed
> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] 
> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable to get valid context for zbyszek
> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session opened for user zbyszek by (uid=0)
> Jul  7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): Authentication failure
> Jul  7 22:17:05 fedora-15 sshd[14264]: Received disconnect from 192.168.122.1: 11: disconnected by user
> 
> In case of a login on a tty, the question about a security context
> is displayed on the screen. In case of ssh login, if just fails
> without any message displayed on the remote side.

Newer versions of libselinux detect if /selinux read-only and consider
selinux as disabled if is.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list