On Wed, 15.04.15 00:22, Frank Thalberg (frankthalb...@ruggedinbox.com) wrote:
> > nspawn at least grants audit caps to containers. If you don't grant > > audit caps you cannot boot distros like Fedora at all, since much of > > the PAM audit code in Fedora is written to fail completely if audit > > is on in the kernel, but cannot be used. > > My first impression was that container/namespaces aren't supported > inside the audit kernel code at all. Yes. Which is why we suggest to either specify audit=0 on the kernel cmdline, or (on x86-64 only) mask the audit support away via seccomp in nspawn. Is this on 32bit userspace or something like that? Or on non-x86 or so? > I still have to butt in though. There are 2 issues here at hand. > > The first one: It doesn't look to me like the audit subsystem within the > kernel is ready for namespaces. They aren't directly rejected but I > can't see any measurements to separate namespaces. It would be quiet > unfortunate if processes within a namespace could receive audit events > from another namespace. Yes. audit is broken. > The second problem is rather simple: it seems libcap currently doesn't > understand the CAP_AUDIT_READ value so passing it to the --capability= > option is not an (easy) option. Hmm, we actually don't use libcap for converting the caps to strings anymore. it should just work. However, CAP_AUDIT_READ is among the default caps we pass, this should hence be unnecessary anyway. > Given that I would suggest to treat the whole audit subsystem to be > optional and don't fail too hard if it can't be used. Unfortunately > pre-built packages can't offer the option to configure this > behavior. Well, sure, I am all for making audit optional. I am just wondering why this precise error happens for you even though I have never seen it like this elsewhere... > > Hmm, exluding the audit code from the build if HAVE_AUDIT is not set > > is certainly a good idea, but we generally try to keep #ifdeffery out > > of .c files. More specifically, the journald-audit.c file should not > > be compiled and linked at all on non-audit builds, and > > journald-audit.h should contain the #ifdeffery that causes > > server_open_audit() to become a NOP on such builds. Would be happy to > > take a patch for that. > > Can't agree more with you here. Your solution to the problem is a > little more work than I was initially willing to invest into the > problem. I'll gladly provide a better patch for this given the > the interest in handling this. I'd be happy to merge a patch like this! Thanks, Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel