https://bugzilla.redhat.com/show_bug.cgi?id=1177819
Peter Bieringer pb@bieringer.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Release|--- |7.1 Version|epel7 |7.0 Component|amavisd-new |systemd CC| |systemd-maint-list@redhat.c | |om Assignee|juan.orti@miceliux.com |systemd-maint@redhat.com QA Contact|extras-qa@fedoraproject.org |qe-baseos-daemons@redhat.co | |m Summary|Failed at step |systemd inside Parallels |NO_NEW_PRIVILEGES spawning |Virtuozzo VM: Failed at |/usr/sbin/amavisd: Invalid |step NO_NEW_PRIVILEGES |argument |spawning /usr/sbin/amavisd: | |Invalid argument Target Milestone|--- |rc Product|Fedora EPEL |Red Hat Enterprise Linux 7
--- Comment #2 from Peter Bieringer pb@bieringer.de --- Woraround so far: disabling this NoNewPrivileges option:
# perl -pi.orig -e 's/^(NoNewPrivileges=)true/\1false/' /usr/lib/systemd/system/amavisd-clean-quarantine.service # perl -pi.orig -e 's/^(NoNewPrivileges=)true/\1false/' /usr/lib/systemd/system/amavisd-clean-tmp.service # perl -pi.orig -e 's/^(NoNewPrivileges=)true/\1false/' /usr/lib/systemd/system/amavisd.service # systemctl daemon-reload
BTW: tried to use SecureBits instead, but this is also causing an error amavisd[2941]: Failed at step SECUREBITS spawning /usr/sbin/amavisd: Operation not permitted
Assigned this bug now to systemd, looks like Parallels Virtuozzo blocks related prctl calls (PR_SET_NO_NEW_PRIVS, PR_SET_SECUREBITS) (found in systemd src/core/execute.c)
# rpm -q systemd systemd-208-11.el7_0.5.x86_64
Looks like systemd should change its behavior to a "softfail/ignore" in case of prctl calls fail and the reason is the underlying virtualization/container platform.