On 6/4/19 12:45 PM, Matthew Garrett wrote:
> On Tue, Jun 4, 2019 at 9:42 AM Steve Dickson <SteveD@xxxxxxxxxx> wrote:
>> AVC avc: denied { sys_chroot } for pid=2919 comm="rpc.mountd" capability=18 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0
>
> This is an SELinux policy violation, nothing to do with systemd.
Yeah... that's what I originally thought it was but when
it was suggested to set AmbientCapabilities=CAP_SYS_CHROOT
in the service unit I figured I would run it by you guys..
> You're probably not seeing it when you run the daemon by hand because
> the SELinux policy doesn't specify a transition in that case, so the
> daemon doesn't end up running in the confined context.
>
Makes sense... thanks!
steved.
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: systemd and chroot()
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd and chroot()
- From: Steve Dickson <SteveD@xxxxxxxxxx>
- Date: Tue, 4 Jun 2019 14:51:35 -0400
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CACdnJuvkbAcp5M77howe4rL+QKU1jx4EGSE6dpHKHZO+oOqMmw@mail.gmail.com>
- References: <fe63bf24-c614-95a2-0971-4e0154950abb@RedHat.com> <CACdnJuvkbAcp5M77howe4rL+QKU1jx4EGSE6dpHKHZO+oOqMmw@mail.gmail.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
- References:
- systemd and chroot()
- From: Steve Dickson
- Re: systemd and chroot()
- From: Matthew Garrett
- systemd and chroot()
- Prev by Date: 5.2rc2, circular lock warning systemd-journal and btrfs_page_mkwrite
- Next by Date: Re: systemd and chroot()
- Previous by thread: Re: systemd and chroot()
- Next by thread: Re: systemd and chroot()
- Index(es):
 |