On Wed, 20.05.15 22:40, Martin Pitt ([email protected]) wrote: > Hey Lennart, > > Lennart Poettering [2015-05-20 17:49 +0200]: > > Nope, ConditionSecurity=audit is only a simple boolean check that > > holds when audit is enabled at all. It doesn't tell you anything about > > the precise audit feature set of the kernel. > > Ah, thanks for the clarification. > > > I have now conditionalized the unit on CAP_ADMIN_READ, which is the > > cap that you need to read the audit multicast stuff. You container > > manager hence should simply drop that cap fro, the cap set it passes > > and all should be good. > > Wonderful! Now it works perfectly in nspawn. (This needs to be fixed > in unprivileged LXC containers, but that's not a systemd problem; I'll > talk to LXC upstream about that). > > With these two fixes, should we now remove the scary warning in > README? AFAICS there is no need to turn auditing off on the host any > more.
As mentioned before: unless you turn auditing off in the kernel, you cannot even log into any Fedora system running in a container (unless you have the seccomp trick on and are on x86-64). The message hence really should stay. Note that Debian/Ubuntu are not as restrictive regarding audit as Fedora is. In Fedora due to government craziness failing audit will result in refused logins, and that's the issue here. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
