On Thu, Sep 30, 2021 at 09:56:03AM +0800, wanghai (M) wrote: > > 在 2021/9/30 5:12, bfields@xxxxxxxxxxxx 写道: > >On Tue, Sep 28, 2021 at 11:43:00AM -0400, bfields@xxxxxxxxxxxx wrote: > >>On Tue, Sep 28, 2021 at 03:36:58PM +0000, Trond Myklebust wrote: > >>>What is the use case here? Starting the gssd daemon or knfsd in > >>>separate chrooted environments? We already know that they have to be > >>>started in the same net namespace, which pretty much ensures it has to > >>>be the same container. > >>Somehow I forgot that knfsd startup is happening in some real process's > >>context too (not just a kthread). > >> > >>OK, great, I agree, that sounds like it should work. Ugh, took me a while to get back to this and I went down a couple dead ends. The result from selinux's point of view is that rpc.nfsd is doing things it previously only expected gssproxy to do. Fixable with an update to selinux policy. And easily fixed in the meantime by cut-and-pasting the suggestions from the logs. Still, the result's that mounts fail when you update the kernel, which seems a violation of our usual rules about regressions. I'd like to do better. --b.
