[systemd-devel] [PATCH] nspawn: do not check audit if --boot argument is not set

Lennart Poettering lennart at poettering.net
Sun Feb 16 12:57:55 PST 2014

On Sun, 16.02.14 00:03, Djalal Harouni (tixxdz at opendz.org) wrote:

> Currently systemd-nspawn will call reset_audit_loginuid() and check
> if audit is enabled in the kernel even if it was invoked without the
> --boot argument. This makes systemd-nspawn print the audit error message
> and sleep(5) on every execution.

But shouldn't it do that? Why would we allow audit to be broken if -b is
not specified? I mean, if you run Fedora's "passwd" inside an nspawn
that is started without -b while audit is available it will actually
fail... And "passwd" is actually usually the first thing people run
after having created the container with "yum"...

I am pretty sure the right thing is to always reset the loginuid (and
thus audit session ID) when starting an nspawn container, and also
disable the audit socket stuff like we do with the seccomp stuff. That
way both facets of the audit logic are comprehensively disable/reset in
the container, and cannot confuse programs.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list