[lxc-devel] [SMACK]Problem with user naespace

Jacek Pielaszkiewicz j.pielaszkie at samsung.com
Fri Mar 28 11:34:11 UTC 2014



Hi

      I have problem with starting lxc containers when SMACK is enabled
on the host. The issue appears when systemd try start user session in
the container. In such case systemd reports error that has not
permissions to set SMACK label. In my test configuration lxc container
has full separation (all namespaces are enabled - including user namespace).
      The issue is common. The problem is due to lack of permissions of
the task to write into /proc/self/sttr/current file even the task has
active CAP_MAC_ADMIN capability. Regarding to may tests the issue is
connected to user namespace.

      I have prepared patch (see attached file). The patch was tested and created
on kernel 3.10.


I will be grateful for comments


Best regards

Jacek Pielaszkiewicz








-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Enable-user-namespace-in-SMACK.patch
Type: text/x-patch
Size: 5431 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140328/82aae374/attachment.bin>


More information about the lxc-devel mailing list