Comment 24 for bug 1576341

On 29.03.2017 [03:19:16 -0000], Serge Hallyn wrote:
> Thanks, Nish. My thoughts:
>
> 1.a sounds good

Ack.

> 1.b i'd like another way to do that, but not sure what a better way would
> be.

Yeah, I spent some time looking at the CPC generater and it seems like
this is pretty hard-coded:

999-cpc-fixes.chroot:
## --------------
# for maverick and newer, use LABEL= for the '/' entry in fstab
if [ -n "${root_fs_label}" ]; then
   bl="[:blank:]"
   lstr="LABEL=${root_fs_label}"
   sed -i "s,^[^#${bl}]*\([${bl}]*/[${bl}].*\),${lstr}\1," "${rootd}/etc/fstab"
fi
cat > /etc/fstab << EOM
LABEL=cloudimg-rootfs / ext4 defaults 0 0
EOM

> 1.c does lvm also fail in privileged containers? I can see no use to
> running it (for now) in an unprivileged container, so the same solution
> as 1.a seems reasonable.

It also fails in privileged containers in the same way (see 2.b in
comment 20). Note that it works if I manually start the socket after
boot.

> 1.d
> CAP_ADMIN_READ is not a real capability. So if 1.d is fixed by that,
> then something else is wrong.

Right, follow-on comments indicated it was a thinko on my part. I think
it make sense, based upon the context in the audit bug that perhaps we
just don't do auditing in unprivileged containers (similar to the 1.a
change)?