Bug 788221
Summary: | Mounts in a child mount namespace are visible to the parent. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lars Kellogg-Stedman <lars> |
Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | dwalsh, jonathan, kzak, mgrepl, mluscon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-10-11 17:49:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lars Kellogg-Stedman
2012-02-07 19:14:22 UTC
Upon further investigation (http://unix.stackexchange.com/questions/31050/problem-with-mount-namespaces-under-fedora) it looks like this is due to the "sandbox" init script installed by the policycoreutils package. The "problem" system is a desktop system, which includes the sandbox script enabled in runlevel 5, whereas the "working" system is a headless server, so it does not run the sandbox script. This represents a fairly substantial difference in behavior, and I wonder if there's not some way to make the behavior of the sandbox script more explicit, or tied more tightly to the services that require it -- that is, instead of running it by default, run it only if the user is using xguest, pam_namespace, etc. It seems like most of those tools could look at the entry for "/" in /proc/self/mountinfo and see if it has the "shared" flag. This is known sandbox behaviour. If you want to be really sure that your mounts are unshared independently on the current system setting then call mount --make-private <mnt>. I have added a comment about MS_SHARED flag (mount --make-shared) to the man page unshare.1 to make it more obvious for users. [Upstream commit bc87f885125d6d7bd9f353cf78d79a56a882f51b, the man page update will be available in Fedora 17.] (In reply to comment #1) > This represents a fairly substantial difference in behavior, and I wonder if > there's not some way to make the behavior of the sandbox script more explicit, > or tied more tightly to the services that require it -- that is, instead of > running it by default, run it only if the user is using xguest, pam_namespace, > etc. Good point, reassigning... sandbox init script is no longer needed in F17. Not really sure it is needed in F16 any more. Just following up on old reports...can we declare this WONTFIX, or close the ticket, or something? |