On 6/4/19 12:45 PM, Matthew Garrett wrote:
> On Tue, Jun 4, 2019 at 9:42 AM Steve Dickson <ste...@redhat.com> wrote:
>> AVC avc: denied { sys_chroot } for pid=2919 comm="rpc.mountd"
>> capability=18 scontext=system_u:system_r:nfsd_t:s0
>> tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0
>
> This is an SELinux policy violation, nothing to do with systemd.
Yeah... that's what I originally thought it was but when
it was suggested to set AmbientCapabilities=CAP_SYS_CHROOT
in the service unit I figured I would run it by you guys..
> You're probably not seeing it when you run the daemon by hand because
> the SELinux policy doesn't specify a transition in that case, so the
> daemon doesn't end up running in the confined context.
>
Makes sense... thanks!
steved.
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
