subject:"\[systemd\-devel\] systemd and chroot\(\)"

Re: [systemd-devel] systemd and chroot()

2019-06-04 Thread Steve Dickson



On 6/4/19 1:14 PM, Zbigniew Jędrzejewski-Szmek wrote:
> On Tue, Jun 04, 2019 at 12:42:35PM -0400, Steve Dickson wrote:
>> Hello,
>>
>> We are adding some new functionality to the NFS server that 
>> will make it a bit more container friendly... 
>>
>> This new functionality needs to do a chroot(2) system call. 
>> This systemcall is failing with EPERM due to the
>> following AVC error:
>>
>> AVC avc:  denied  { sys_chroot } for  pid=2919 comm="rpc.mountd" 
>> capability=18  scontext=system_u:system_r:nfsd_t:s0 
>> tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0
> 
> It doesn't sound right to do any kind of chrooting yourself.
> Why can't you use the systemd builtins for this?
The patch set is basically adding a pseudo to all the export
which should make things a bit more container friendly...
There is the thread
https://www.spinics.net/lists/linux-nfs/msg73006.html

steved.
> 
> Zbyszek
> 
>> The entery in the /var/loc/audit.log
>> type=AVC msg=audit(1559659652.217:250): avc:  denied  { sys_chroot } for  
>> pid=2412 comm="rpc.mountd" capability=18  
>> scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 
>> tclass=capability permissive=0
>>
>> It definitely is something with systemd, since I can
>> start the daemon by hand... 
>>
>> It was suggested I make the following change to the service unit
>> # diff -u nfs-mountd.service.orig nfs-mountd.service
>> --- nfs-mountd.service.orig  2019-06-04 10:38:57.0 -0400
>> +++ nfs-mountd.service   2019-06-04 12:29:34.339621802 -0400
>> @@ -11,3 +11,4 @@
>>  [Service]
>>  Type=forking
>>  ExecStart=/usr/sbin/rpc.mountd
>> +AmbientCapabilities=CAP_SYS_CHROOT
>>
>> which did not work. 
>>
>> Any ideas on how to tell systemd its ok for a daemon
>> to do a chroot(2) system call?
>>
>> tia,
>>
>> steved.
>> ___
>> systemd-devel mailing list
>> systemd-devel@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd and chroot()

2019-06-04 Thread Steve Dickson



On 6/4/19 12:45 PM, Matthew Garrett wrote:
> On Tue, Jun 4, 2019 at 9:42 AM Steve Dickson  wrote:
>> AVC avc:  denied  { sys_chroot } for  pid=2919 comm="rpc.mountd" 
>> capability=18  scontext=system_u:system_r:nfsd_t:s0 
>> tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0
> 
> This is an SELinux policy violation, nothing to do with systemd.
Yeah... that's what I originally thought it was but when
it was suggested to set  AmbientCapabilities=CAP_SYS_CHROOT
in the service unit I figured I would run it by you guys..

> You're probably not seeing it when you run the daemon by hand because
> the SELinux policy doesn't specify a transition in that case, so the
> daemon doesn't end up running in the confined context.
> 
Makes sense... thanks!

steved.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd and chroot()

2019-06-04 Thread Zbigniew Jędrzejewski-Szmek

On Tue, Jun 04, 2019 at 12:42:35PM -0400, Steve Dickson wrote:
> Hello,
> 
> We are adding some new functionality to the NFS server that 
> will make it a bit more container friendly... 
> 
> This new functionality needs to do a chroot(2) system call. 
> This systemcall is failing with EPERM due to the
> following AVC error:
> 
> AVC avc:  denied  { sys_chroot } for  pid=2919 comm="rpc.mountd" 
> capability=18  scontext=system_u:system_r:nfsd_t:s0 
> tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0

It doesn't sound right to do any kind of chrooting yourself.
Why can't you use the systemd builtins for this?

Zbyszek

> The entery in the /var/loc/audit.log
> type=AVC msg=audit(1559659652.217:250): avc:  denied  { sys_chroot } for  
> pid=2412 comm="rpc.mountd" capability=18  
> scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 
> tclass=capability permissive=0
> 
> It definitely is something with systemd, since I can
> start the daemon by hand... 
> 
> It was suggested I make the following change to the service unit
> # diff -u nfs-mountd.service.orig nfs-mountd.service
> --- nfs-mountd.service.orig   2019-06-04 10:38:57.0 -0400
> +++ nfs-mountd.service2019-06-04 12:29:34.339621802 -0400
> @@ -11,3 +11,4 @@
>  [Service]
>  Type=forking
>  ExecStart=/usr/sbin/rpc.mountd
> +AmbientCapabilities=CAP_SYS_CHROOT
> 
> which did not work. 
> 
> Any ideas on how to tell systemd its ok for a daemon
> to do a chroot(2) system call?
> 
> tia,
> 
> steved.
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd and chroot()

2019-06-04 Thread Matthew Garrett

On Tue, Jun 4, 2019 at 9:42 AM Steve Dickson  wrote:
> AVC avc:  denied  { sys_chroot } for  pid=2919 comm="rpc.mountd" 
> capability=18  scontext=system_u:system_r:nfsd_t:s0 
> tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0

This is an SELinux policy violation, nothing to do with systemd.
You're probably not seeing it when you run the daemon by hand because
the SELinux policy doesn't specify a transition in that case, so the
daemon doesn't end up running in the confined context.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] systemd and chroot()

2019-06-04 Thread Steve Dickson

Hello,

We are adding some new functionality to the NFS server that 
will make it a bit more container friendly... 

This new functionality needs to do a chroot(2) system call. 
This systemcall is failing with EPERM due to the
following AVC error:

AVC avc:  denied  { sys_chroot } for  pid=2919 comm="rpc.mountd" capability=18  
scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 
tclass=capability permissive=0

The entery in the /var/loc/audit.log
type=AVC msg=audit(1559659652.217:250): avc:  denied  { sys_chroot } for  
pid=2412 comm="rpc.mountd" capability=18  scontext=system_u:system_r:nfsd_t:s0 
tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0

It definitely is something with systemd, since I can
start the daemon by hand... 

It was suggested I make the following change to the service unit
# diff -u nfs-mountd.service.orig nfs-mountd.service
--- nfs-mountd.service.orig 2019-06-04 10:38:57.0 -0400
+++ nfs-mountd.service  2019-06-04 12:29:34.339621802 -0400
@@ -11,3 +11,4 @@
 [Service]
 Type=forking
 ExecStart=/usr/sbin/rpc.mountd
+AmbientCapabilities=CAP_SYS_CHROOT

which did not work. 

Any ideas on how to tell systemd its ok for a daemon
to do a chroot(2) system call?

tia,

steved.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd and chroot()

Re: [systemd-devel] systemd and chroot()

Re: [systemd-devel] systemd and chroot()

Re: [systemd-devel] systemd and chroot()

[systemd-devel] systemd and chroot()

5 matches

Site Navigation

Mail list logo

Footer information