[systemd-devel] [PATCH] bus-proxy: cloning smack label
Lennart Poettering
lennart at poettering.net
Wed Dec 10 13:37:35 PST 2014
On Tue, 09.12.14 18:26, Lennart Poettering (lennart at poettering.net) wrote:
Przemyslaw,
> > +++ b/units/user at .service.m4.in
> > @@ -0,0 +1,23 @@
> > +# This file is part of systemd.
> > +#
> > +# systemd is free software; you can redistribute it and/or modify it
> > +# under the terms of the GNU Lesser General Public License as published by
> > +# the Free Software Foundation; either version 2.1 of the License, or
> > +# (at your option) any later version.
> > +
> > +[Unit]
> > +Description=User Manager for UID %i
> > +After=systemd-user-sessions.service
> > +
> > +[Service]
> > +User=%i
> > +PAMName=systemd-user
> > +Type=notify
> > +ExecStart=- at rootlibexecdir@/systemd --user
> > +Slice=user-%i.slice
> > +KillMode=mixed
> > +Delegate=yes
> > +m4_ifdef(`HAVE_SMACK',
> > +Capabilities=cap_mac_admin=i
> > +SecureBits=keep-caps
> > +)
I have reverted the last bit above again, since it broke bootups in
nspawn machines. I figure the CAP_MAC_ADMIN capability is missing from
the bounding set in an nspawn, and that breaks the caps logic here.
We should find another solution for this. I wanted to get 218 out of
the door, hence I reverted this bit for now, but we really should fine
a longer term solution for this.
I build systemd with SMACK on, but turned off in the kernel.
Any suggestions what we can do here?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list