Bug 1044892

Description of problem:
some services fail to start in container with -P due to different reasons ,
like lack of dir , selinux policy issue.


Version-Release number of selected component (if applicable):
libvirt-sandbox-0.5.0-7.el7.x86_64
systemd-207-8.el7.x86_64
selinux-policy-3.12.1-103.el7.noarch

How reproducible:
100%

Steps to Reproduce:

For openssh-server
1
#virt-sandbox-service create -C -u httpd.service -P openssh -P postfix -N dhcp,source=default mul-ssh
#virsh -c lxc:/// start mul-ssh
#virt-sandbox-service connect mul-ssh

2.
#systemctl start sshd
sh-4.2# systemctl status sshd
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2013-12-19 11:29:36 CST; 1s ago
  Process: 110 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
  Process: 109 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
 Main PID: 110 (code=exited, status=255)

sh-4.2#journalctl -xn
Dec 19 11:29:36 mul-ssh sshd[110]: Missing privilege separation directory: /var/empty/sshd


sh-4.2# mkdir -p /var/empty/sshd
sh-4.2# systemctl start sshd

sh-4.2# systemctl status sshd
sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled)
   Active: active (running) since Thu 2013-12-19 11:30:18 CST; 4s ago
  Process: 117 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
 Main PID: 118 (sshd)
   CGroup: /machine.slice/machine-lxc\x2dmul\x2dssh.scope/system.slice/sshd.service
           `-118 /usr/sbin/sshd -D
           > 118 /usr/sbin/sshd -D

Dec 19 11:30:18 mul-ssh sshd[118]: Server listening on 0.0.0.0 port 22.
Dec 19 11:30:18 mul-ssh sshd[118]: Server listening on :: port 22.



For httpd
1.
#virt-sandbox-service create -C -u crond.service -P httpd -P postfix -N dhcp,source=default mul-http
# virsh -c lxc:/// start mul-http
#virt-sandbox-service connect mul-http

2.
sh4-2# systemctl start httpd
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
sh-4.2# journalctl -xn
-- Logs begin at Thu 2013-12-19 11:34:47 CST, end at Thu 2013-12-19 11:35:06 CST. --
Dec 19 11:34:47 mul-http crond[15]: (CRON) INFO (running without inotify support)
Dec 19 11:34:47 mul-http dhclient[4]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0x7a407ff5)
Dec 19 11:34:51 mul-http dhclient[4]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0x7a407ff5)
Dec 19 11:34:55 mul-http dhclient[4]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 9 (xid=0x7a407ff5)
Dec 19 11:34:58 mul-http dhclient[4]: DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x7a407ff5)
Dec 19 11:34:58 mul-http dhclient[4]: DHCPOFFER from 192.168.122.1
Dec 19 11:34:58 mul-http dhclient[4]: DHCPACK from 192.168.122.1 (xid=0x7a407ff5)
Dec 19 11:35:00 mul-http dhclient[4]: bound to 192.168.122.175 -- renewal in 1527 seconds.
Dec 19 11:35:06 mul-http httpd[102]: Failed at step NAMESPACE spawning /usr/sbin/httpd: Permission denied
Dec 19 11:35:06 mul-http kill[103]: Failed at step NAMESPACE spawning /bin/kill: Permission denied

On host
setroubleshoot: SELinux is preventing /usr/lib/systemd/systemd from mounton access on the directory /. For complete SELinux messages. run sealert -l 178c6b0b-91aa-472d-89b7-c6482254826e

## sealert -l 178c6b0b-91aa-472d-89b7-c6482254826e
SELinux is preventing /usr/lib/systemd/systemd from mounton access on the directory /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed mounton access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep (httpd) /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0
Target Context                system_u:object_r:root_t:s0
Target Objects                / [ dir ]
Source                        (httpd)
Source Path                   /usr/lib/systemd/systemd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           systemd-207-8.el7.x86_64
Target RPM Packages           filesystem-3.2-13.el7.x86_64
Policy RPM                    selinux-policy-3.12.1-103.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.10.0-64.el7.x86_64
                              #1 SMP Tue Dec 17 16:46:38 EST 2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-12-19 11:24:29 CST
Last Seen                     2013-12-19 11:35:06 CST
Local ID                      178c6b0b-91aa-472d-89b7-c6482254826e

Raw Audit Messages
type=AVC msg=audit(1387424106.704:232): avc:  denied  { mounton } for  pid=2977 comm="(kill)" path="/" dev="sda1" ino=128 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir


type=SYSCALL msg=audit(1387424106.704:232): arch=x86_64 syscall=mount success=no exit=EACCES a0=0 a1=7faadbd141b2 a2=0 a3=84000 items=0 ppid=1 pid=2977 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(kill) exe=/usr/lib/systemd/systemd subj=system_u:system_r:svirt_lxc_net_t:s0 key=(null)

Hash: (httpd),svirt_lxc_net_t,root_t,dir,mounton