On Fri, 08.07.11 10:41, Zbigniew Jędrzejewski-Szmek ([email protected]) wrote:
> > On 07/07/2011 11:17 PM, Lennart Poettering wrote: > > On Thu, 07.07.11 16:52, Daniel J Walsh ([email protected]) wrote: > > > >>>> This has a nasty consequence of breaking logins: > >>>> Jul 7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek > >>>> from 192.168.122.1 port 51205 ssh2 > >>>> Jul 7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: > >>>> Connection reset by peer > >>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): > >>>> conversation failed > >>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No > >>>> response to query: Would you like to enter a security context? [N] > >>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable > >>>> to get valid context for zbyszek > >>>> Jul 7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session > >>>> opened for user zbyszek by (uid=0) > >>>> Jul 7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): > >>>> Authentication failure > >>>> Jul 7 22:17:05 fedora-15 sshd[14264]: Received disconnect from > >>>> 192.168.122.1: 11: disconnected by user > >>>> > >>>> In case of a login on a tty, the question about a security context > >>>> is displayed on the screen. In case of ssh login, if just fails > >>>> without any message displayed on the remote side. > >>> > >>> Newer versions of libselinux detect if /selinux is read-only and consider > >>> selinux disabled if it is. > But why is it disabled _outside_ of the container? This would mean that > running > nspawn disables selinux. Hmm? No, it's read-only only inside the container. We do that to make sure the container cannot modify the selinux policy, since policies cannot be virtualized really. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
