[Bug 1177819] systemd inside Parallels Virtuozzo VM: Failed at step NO_NEW_PRIVILEGES spawning /usr/sbin/amavisd: Invalid argument

bugzilla at redhat.com bugzilla at redhat.com
Sun Jan 4 10:00:26 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1177819

Peter Bieringer <pb at bieringer.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Target Release|---                         |7.1
            Version|epel7                       |7.0
          Component|amavisd-new                 |systemd
                 CC|                            |systemd-maint-list at redhat.c
                   |                            |om
           Assignee|juan.orti at miceliux.com      |systemd-maint at redhat.com
         QA Contact|extras-qa at fedoraproject.org |qe-baseos-daemons at redhat.co
                   |                            |m
            Summary|Failed at step              |systemd inside Parallels
                   |NO_NEW_PRIVILEGES spawning  |Virtuozzo VM: Failed at
                   |/usr/sbin/amavisd: Invalid  |step NO_NEW_PRIVILEGES
                   |argument                    |spawning /usr/sbin/amavisd:
                   |                            |Invalid argument
   Target Milestone|---                         |rc
            Product|Fedora EPEL                 |Red Hat Enterprise Linux 7



--- Comment #2 from Peter Bieringer <pb at bieringer.de> ---
Woraround so far: disabling this NoNewPrivileges option:

# perl -pi.orig -e 's/^(NoNewPrivileges=)true/\1false/'
/usr/lib/systemd/system/amavisd-clean-quarantine.service
# perl -pi.orig -e 's/^(NoNewPrivileges=)true/\1false/'
/usr/lib/systemd/system/amavisd-clean-tmp.service
# perl -pi.orig -e 's/^(NoNewPrivileges=)true/\1false/'
/usr/lib/systemd/system/amavisd.service
# systemctl daemon-reload

BTW: tried to use SecureBits instead, but this is also causing an error
amavisd[2941]: Failed at step SECUREBITS spawning /usr/sbin/amavisd: Operation
not permitted

Assigned this bug now to systemd, looks like Parallels Virtuozzo blocks related
prctl calls (PR_SET_NO_NEW_PRIVS, PR_SET_SECUREBITS) (found in systemd
src/core/execute.c)

# rpm -q systemd
systemd-208-11.el7_0.5.x86_64

Looks like systemd should change its behavior to a "softfail/ignore" in case of
prctl calls fail and the reason is the underlying virtualization/container
platform.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=4nMohVuPw8&a=cc_unsubscribe

More information about the perl-devel mailing list