| Summary: | [virt-login-shell] cannot open user home directory: Permission denied | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Alex Jia <ajia> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | acathrow, dwalsh, dyuan, gsun, zpeng |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-05 15:36:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Alex Jia
2013-09-03 03:45:17 UTC
In order to make this work you would have to label /home/sandbox correctly with virt_lxc_file_t and the correct MCS Label. When you are in the sandbox you will be running something like svirt_lxc_net_t:s0:c2,c3 And you are only able to read/wite svirt_lxc_file_t:s0:c2,c3 Openshift sets this up automatically. They setup static labeling. (In reply to Daniel Walsh from comment #2) > In order to make this work you would have to label /home/sandbox correctly > with virt_lxc_file_t and the correct MCS Label. > > When you are in the sandbox you will be running something like > > svirt_lxc_net_t:s0:c2,c3 And you are only able to read/wite > svirt_lxc_file_t:s0:c2,c3 > > Openshift sets this up automatically. > > They setup static labeling. Daniel, I think it should have a document to describe this at least in the future, in addition, I also check auditd.log with selinux 'Enforcing' mode and haven't found any AVC denied error, so it indeed is hard to debug this for me, is this a selinux's issue? thanks. Daniel, whether the default selinux label "svirt_lxc_net_t" can be automatically assigned when we create a sandbox(libvirt-sandbox) account? I guess the openshit will do these by itself, if I'm not a openshit user then it means I must manually change my home directory selinux label by myself. Yes when using libvirt-sandbox you need to setup labels yourself for any content you want to be able to write within the sandbox. When using virt-sandbox-service, it is doing this for you. We have a version of virt-sandbox -s inherit which is in the upstream which will run the sandbox with the users context rather then svirt_lxc_net_t. When this comes out you could run containers as unconfined_t and then the login should work fine. (In reply to Daniel Walsh from comment #6) > We have a version of virt-sandbox -s inherit which is in the upstream which > will run the sandbox with the users context rather then svirt_lxc_net_t. > When this comes out you could run containers as unconfined_t and then the > login should work fine. Thanks, I'm looking forword to test this new feature, if everything is okay, I will close the bug as WORKSFORME. |