Re: [systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

Fri, 08 Jul 2011 05:22:08 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/08/2011 08:18 AM, Zbigniew Jędrzejewski-Szmek wrote:
> On 07/08/2011 01:59 PM, Daniel J Walsh wrote:
>> On 07/08/2011 07:45 AM, Lennart Poettering wrote:
>>> On Fri, 08.07.11 10:41, Zbigniew Jdrzejewski-Szmek ([email protected]) 
>>> wrote:
>>
>>>>
>>>> On 07/07/2011 11:17 PM, Lennart Poettering wrote:
>>>>> On Thu, 07.07.11 16:52, Daniel J Walsh ([email protected]) wrote:
>>>>>
>>>>>>>> This has a nasty consequence of breaking logins:
>>>>>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek 
>>>>>>>> from 192.168.122.1 port 51205 ssh2
>>>>>>>> Jul  7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: 
>>>>>>>> read: Connection reset by peer
>>>>>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): 
>>>>>>>> conversation failed
>>>>>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No 
>>>>>>>> response to query: Would you like to enter a security context? [N] 
>>>>>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): 
>>>>>>>> Unable to get valid context for zbyszek
>>>>>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session 
>>>>>>>> opened for user zbyszek by (uid=0)
>>>>>>>> Jul  7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): 
>>>>>>>> Authentication failure
>>>>>>>> Jul  7 22:17:05 fedora-15 sshd[14264]: Received disconnect from 
>>>>>>>> 192.168.122.1: 11: disconnected by user
>>>>>>>>
>>>>>>>> In case of a login on a tty, the question about a security context
>>>>>>>> is displayed on the screen. In case of ssh login, if just fails
>>>>>>>> without any message displayed on the remote side.
>>>>>>>
>>>>>>> Newer versions of libselinux detect if /selinux is read-only and 
>>>>>>> consider
>>>>>>> selinux disabled if it is.
>>>> But why is it disabled _outside_ of the container? This would mean that 
>>>> running
>>>> nspawn disables selinux.
>>
>>> Hmm?
>>
>>> No, it's read-only only inside the container. We do that to make sure
>>> the container cannot modify the selinux policy, since policies cannot be
>>> virtualized really.
> 
> Nope, it becomes read-only outside. Some bug?
> Repeating the commands from the original mail:
> 
> [zbyszek@fedora-15 ~]$ mount|grep selinux
> selinuxfs on /selinux type selinuxfs (rw,relatime)      <----------------- RW 
> here
> [zbyszek@fedora-15 ~]$ sudo systemd-nspawn -D debian-tree/ /bin/true
> Spawning namespace container on /home/zbyszek/debian-tree (console is 
> /dev/pts/2).
> [zbyszek@fedora-15 ~]$ mount|grep selinux
> selinuxfs on /selinux type selinuxfs (ro,relatime)      <----------------- RO 
> now
> 
>> I have no idea what nspawn does, but if you are turning the /selinux to
>> readonly to prevent a root process from mucking with SELinux you are not
>> going to be successful.  Since you can mount selinufs somewhere else and
>> muck around with it. 
> As I understand, absolute security is not on of the goals of nspawn. It is
> only intended to prevent accidental breakage.
> 
>> If you want to run all of the processes within the
>> nspawn environment under a single label, Like we do with Mock, then
>> changing /selinux to read/only with the libselinux in Rawhide will give
>> you want you want.  IE All processes within the container think SELinux
>> is disabled, while SELinux is actually running all of the processes
>> under confinement.
> 
> Zbyszek
Lennart, I think to make this work correctly you need to bind mount
/selinux on /selinux, then make the mount point private, then finally
mount selinuxfs on /selinux read/only.  Otherwise since / is shared, the
mounting within the namespace will show up on all namespaces.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4W9loACgkQrlYvE4MpobNREgCgnXFPQDL6rJCPxm1jSRNJor5G
ykQAni8GagyFkLjIwzI8DCOxckSR70Nh
=6I8m
-----END PGP SIGNATURE-----
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to