-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/08/2011 07:45 AM, Lennart Poettering wrote: > On Fri, 08.07.11 10:41, Zbigniew Jędrzejewski-Szmek ([email protected]) wrote: > >> >> On 07/07/2011 11:17 PM, Lennart Poettering wrote: >>> On Thu, 07.07.11 16:52, Daniel J Walsh ([email protected]) wrote: >>> >>>>>> This has a nasty consequence of breaking logins: >>>>>> Jul 7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek >>>>>> from 192.168.122.1 port 51205 ssh2 >>>>>> Jul 7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: >>>>>> Connection reset by peer >>>>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): >>>>>> conversation failed >>>>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No >>>>>> response to query: Would you like to enter a security context? [N] >>>>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable >>>>>> to get valid context for zbyszek >>>>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session >>>>>> opened for user zbyszek by (uid=0) >>>>>> Jul 7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): >>>>>> Authentication failure >>>>>> Jul 7 22:17:05 fedora-15 sshd[14264]: Received disconnect from >>>>>> 192.168.122.1: 11: disconnected by user >>>>>> >>>>>> In case of a login on a tty, the question about a security context >>>>>> is displayed on the screen. In case of ssh login, if just fails >>>>>> without any message displayed on the remote side. >>>>> >>>>> Newer versions of libselinux detect if /selinux is read-only and consider >>>>> selinux disabled if it is. >> But why is it disabled _outside_ of the container? This would mean that >> running >> nspawn disables selinux. > > Hmm? > > No, it's read-only only inside the container. We do that to make sure > the container cannot modify the selinux policy, since policies cannot be > virtualized really. > > Lennart > I have no idea what nspawn does, but if you are turning the /selinux to readonly to prevent a root process from mucking with SELinux you are not going to be successful. Since you can mount selinufs somewhere else and muck around with it. If you want to run all of the processes within the nspawn environment under a single label, Like we do with Mock, then changing /selinux to read/only with the libselinux in Rawhide will give you want you want. IE All processes within the container think SELinux is disabled, while SELinux is actually running all of the processes under confinement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk4W8TMACgkQrlYvE4MpobMc4ACdFo7fQR4avocElo3S7wLcsvbU exsAoLBWLDvdFJnLZ/saB1tvsYnJHDmh =QlHt -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
