[Lxc-users] centos6 container and root login

Dwight Engen dwight.engen at oracle.com
Tue Oct 23 19:53:05 UTC 2012 

On Tue, 23 Oct 2012 20:03:33 +0200
olx69 <ope-linux at gmx.de> wrote:

>  >> > to be more precise, I've got after root/passwd phrase the
>  >> > option:
>  >> >
>  >> > Would you like to enter a security context? [N]
>  >>
>  >> Looks like selinux problem? Can you try disabling selinux in the
>  >> host (and possibly in the guest as well) with "setenforce 0".
>  >
>  >FWIW in my experience doing setenforce 0 in the host isn't enough
>  >for the guest to think selinux is disabled since
>  >libselinux::is_selinux_enabled() in the guest will
>  >check /proc/filesystems and see selinuxfs, thus reporting that it is
>  >on. (ie. check the output of sestatus in the guest). I had to
>  >disable it and reboot to make the guest think it is not enabled.
> 
> How to disable it in that manner?
> 
> In the container I did install policycoreutils (as shown at 
> http://wiki.1tux.org/wiki/Centos6/Installation/Minimal_installation_using_yum 
> I have only centos-release and the essential packages) and have
> 
> # echo 0 >selinux/enforce
> # cat etc/selinux/config
> SELINUX=disabled
> 
> in the the lxc container I can do now
> 
> [root at pgsql ~]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          disabled
> Policy version:                 24
> Policy from config file:        targeted
> 
> which disables selinux obviously.

Not actually disabled yet, for example try changing roots password
in the container and you will not be able to. Doing the change to the
hosts /etc/selinux/config you showed and rebooting the host should
disable it, not just set it to permissive. As long as sestatus
shows like above (the SELinux status is enabled), programs in the guest
still think its enabled regardless of what the config file says because
they call the libselinux::is_selinux_enabled() function I mentioned
above which checks to see if selinuxfs is in /proc/filesystems.

> BTW, for root login all what I did was to disable all
> pam_selinux.so  pam_loginuid.so lines in /etc/pam.d/login !

Yes, you may also have to add lxc/tty1 or pts/0 (for libvirt)
to $container/etc/securetty depending on how you have your ptys mapped.

More information about the lxc-users mailing list