[systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

Daniel J Walsh dwalsh at redhat.com
Thu Jul 7 13:52:27 PDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/07/2011 04:45 PM, Lennart Poettering wrote:
> On Thu, 07.07.11 22:42, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
> 
>> Hi,
>> on freshly installed fedora-15 system, I've been trying out the nspawn, and
>> running "systemd-nspawn -D debian-tree/" (i.e. just the shell) seems
>> to cause /selinux to be remount ro on the _host_:
>>
>> $ rpm -q systemd
>> systemd-26-5.fc15.x86_64
>> $ mount|grep selinux
>> selinuxfs on /selinux type selinuxfs (rw,relatime)
>> $ sudo systemd-nspawn -D debian-tree/ /bin/true
>> $ mount|grep selinux
>> selinuxfs on /selinux type selinuxfs (ro,relatime)
>>
>> This has a nasty consequence of breaking logins:
>> Jul  7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek from 192.168.122.1 port 51205 ssh2
>> Jul  7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: Connection reset by peer
>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): conversation failed
>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No response to query: Would you like to enter a security context? [N] 
>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable to get valid context for zbyszek
>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session opened for user zbyszek by (uid=0)
>> Jul  7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): Authentication failure
>> Jul  7 22:17:05 fedora-15 sshd[14264]: Received disconnect from 192.168.122.1: 11: disconnected by user
>>
>> In case of a login on a tty, the question about a security context
>> is displayed on the screen. In case of ssh login, if just fails
>> without any message displayed on the remote side.
> 
> Newer versions of libselinux detect if /selinux read-only and consider
> selinux as disabled if is.
> 
> Lennart
> 
Do I need to back port this to F15?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4WHIsACgkQrlYvE4MpobNoGwCg21plu5JCs5wIv5fArvYDmOia
8+4An3FYGs3gsG21yNwkDAThrrV1kOYC
=LoD+
-----END PGP SIGNATURE-----


More information about the systemd-devel mailing list