On Mon, Jul 22, 2013 at 11:43:02AM -0400, Matt Hicks wrote:
One note, when I first ran that (using sudo), I received the
following SELinux denials:
type=AVC msg=audit(1374507059.429:625): avc: denied { transition }
for pid=8600 comm="virsh" path="/usr/bin/bash" dev="dm-3"
ino=1842877
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1374507059.429:625): arch=x86_64
syscall=execve success=no exit=EACCES a0=7f87443a7a30
a1=7f87444287e0 a2=7fff38cd3c40 a3=8 items=0 ppid=0 pid=8600
auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
ses=1 tty=pts0 comm=virsh exe=/usr/bin/virsh
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
However, if I put SELinux in permissive mode, the command works. Is
that expected or should I open a bug?
More recent versions of libvirt set the SELuinux security
context when entering the namespace too.
Also, still hitting some issues with the local account setup.
I'm
not sure if this is related to my minimal install missing some
components, but when I try and set the passwords on new accounts, I
get a generic 'System error':
sh-4.2# useradd myuser
sh-4.2# passwd myuser
Changing password for user myuser.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: System error
The same goes for switching users:
sh-4.2# su - myuser
su: System error
I've confirmed that an /etc/passwd and /etc/shadow entry exists for
that user.
Console behavior is the login just fails with 'Incorrect login'. I
don't see anything of value in the host or container journal so not
entirely sure where to look there...
Anything failing in containers related to PAM is almost certainly
caused by the audit code being broken wrt containers. Try booting
the kernel with audit=0
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|