problem using sshd inside a LXC container

Darren Tucker dtucker at zip.com.au
Tue Oct 25 14:28:17 EST 2011


On 24/10/11 10:38 PM, Hans Harder wrote:
> Currently I have a RH6.1 host with selinux enabled
> On this I am running a LXC container with ubuntu (without selinux) with
> OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
[...]
> Now I assume I have a problem because inside the container selinux is
> disabled...
> If so, is there a way to tell the sshd inside the container to ignore
> the selinux check....

sshd has no knobs for this.  The code in openbsd-compat/port-linux.c 
looks roughly like this (assuming it's not been changed by debian or 
ubuntu):

	r = get_default_context(sename, NULL, &sc);
	if (r != 0) {
		switch (security_getenforce()) {
		case -1:
			fatal("%s: ssh_selinux_getctxbyname: "
			    "security_getenforce() failed", __func__);

so if you could get get_default_context() to return zero then it won't 
fatal out, but I don't know enough selinux and/or lxc to know if that's 
possible.  Failing that, you'd probably have to hack sshd.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list