[libvirt-users] Libvirt-lxc and systemd question
Daniel P. Berrange
berrange at redhat.com
Mon Jul 22 15:52:40 UTC 2013
On Mon, Jul 22, 2013 at 11:43:02AM -0400, Matt Hicks wrote:
> One note, when I first ran that (using sudo), I received the
> following SELinux denials:
>
> type=AVC msg=audit(1374507059.429:625): avc: denied { transition }
> for pid=8600 comm="virsh" path="/usr/bin/bash" dev="dm-3"
> ino=1842877
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tclass=process
>
> type=SYSCALL msg=audit(1374507059.429:625): arch=x86_64
> syscall=execve success=no exit=EACCES a0=7f87443a7a30
> a1=7f87444287e0 a2=7fff38cd3c40 a3=8 items=0 ppid=0 pid=8600
> auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> ses=1 tty=pts0 comm=virsh exe=/usr/bin/virsh
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
> However, if I put SELinux in permissive mode, the command works. Is
> that expected or should I open a bug?
More recent versions of libvirt set the SELuinux security
context when entering the namespace too.
> Also, still hitting some issues with the local account setup. I'm
> not sure if this is related to my minimal install missing some
> components, but when I try and set the passwords on new accounts, I
> get a generic 'System error':
>
> sh-4.2# useradd myuser
>
> sh-4.2# passwd myuser
> Changing password for user myuser.
> New password:
> BAD PASSWORD: The password is shorter than 8 characters
> Retype new password:
> passwd: System error
>
> The same goes for switching users:
>
> sh-4.2# su - myuser
> su: System error
>
> I've confirmed that an /etc/passwd and /etc/shadow entry exists for
> that user.
>
> Console behavior is the login just fails with 'Incorrect login'. I
> don't see anything of value in the host or container journal so not
> entirely sure where to look there...
Anything failing in containers related to PAM is almost certainly
caused by the audit code being broken wrt containers. Try booting
the kernel with audit=0
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvirt-users
mailing list