On 6/4/19 1:14 PM, Zbigniew Jędrzejewski-Szmek wrote:
> On Tue, Jun 04, 2019 at 12:42:35PM -0400, Steve Dickson wrote:
>> Hello,
>>
>> We are adding some new functionality to the NFS server that
>> will make it a bit more container friendly...
>>
>> This new functionality needs to do a chroot(2) system call.
>> This systemcall is failing with EPERM due to the
>> following AVC error:
>>
>> AVC avc: denied { sys_chroot } for pid=2919 comm="rpc.mountd" capability=18 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0
>
> It doesn't sound right to do any kind of chrooting yourself.
> Why can't you use the systemd builtins for this?
The patch set is basically adding a pseudo to all the export
which should make things a bit more container friendly...
There is the thread
https://www.spinics.net/lists/linux-nfs/msg73006.html
steved.
>
> Zbyszek
>
>> The entery in the /var/loc/audit.log
>> type=AVC msg=audit(1559659652.217:250): avc: denied { sys_chroot } for pid=2412 comm="rpc.mountd" capability=18 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0
>>
>> It definitely is something with systemd, since I can
>> start the daemon by hand...
>>
>> It was suggested I make the following change to the service unit
>> # diff -u nfs-mountd.service.orig nfs-mountd.service
>> --- nfs-mountd.service.orig 2019-06-04 10:38:57.000000000 -0400
>> +++ nfs-mountd.service 2019-06-04 12:29:34.339621802 -0400
>> @@ -11,3 +11,4 @@
>> [Service]
>> Type=forking
>> ExecStart=/usr/sbin/rpc.mountd
>> +AmbientCapabilities=CAP_SYS_CHROOT
>>
>> which did not work.
>>
>> Any ideas on how to tell systemd its ok for a daemon
>> to do a chroot(2) system call?
>>
>> tia,
>>
>> steved.
>> _______________________________________________
>> systemd-devel mailing list
>> systemd-devel@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: systemd and chroot()
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd and chroot()
- From: Steve Dickson <SteveD@xxxxxxxxxx>
- Date: Tue, 4 Jun 2019 15:00:40 -0400
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <20190604171456.GC17099@in.waw.pl>
- References: <fe63bf24-c614-95a2-0971-4e0154950abb@RedHat.com> <20190604171456.GC17099@in.waw.pl>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
- References:
- systemd and chroot()
- From: Steve Dickson
- Re: systemd and chroot()
- From: Zbigniew Jędrzejewski-Szmek
- systemd and chroot()
- Prev by Date: Re: systemd and chroot()
- Next by Date: Re: [vfio-users] Fwd: Proper way for systemd service to wait mdev gvt device initialization
- Previous by thread: Re: systemd and chroot()
- Next by thread: 5.2rc2, circular lock warning systemd-journal and btrfs_page_mkwrite
- Index(es):
 |