On Thu, 07.07.11 22:42, Zbigniew Jędrzejewski-Szmek ([email protected]) wrote:
> Hi, > on freshly installed fedora-15 system, I've been trying out the nspawn, and > running "systemd-nspawn -D debian-tree/" (i.e. just the shell) seems > to cause /selinux to be remount ro on the _host_: > > $ rpm -q systemd > systemd-26-5.fc15.x86_64 > $ mount|grep selinux > selinuxfs on /selinux type selinuxfs (rw,relatime) > $ sudo systemd-nspawn -D debian-tree/ /bin/true > $ mount|grep selinux > selinuxfs on /selinux type selinuxfs (ro,relatime) > > This has a nasty consequence of breaking logins: > Jul 7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek from > 192.168.122.1 port 51205 ssh2 > Jul 7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: > Connection reset by peer > Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): > conversation failed > Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No response > to query: Would you like to enter a security context? [N] > Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable to > get valid context for zbyszek > Jul 7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session opened > for user zbyszek by (uid=0) > Jul 7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): > Authentication failure > Jul 7 22:17:05 fedora-15 sshd[14264]: Received disconnect from > 192.168.122.1: 11: disconnected by user > > In case of a login on a tty, the question about a security context > is displayed on the screen. In case of ssh login, if just fails > without any message displayed on the remote side. Newer versions of libselinux detect if /selinux read-only and consider selinux as disabled if is. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
