[systemd-devel] [PATCH] bus-proxy: cloning smack label

Lennart Poettering lennart at poettering.net
Wed Dec 10 13:37:35 PST 2014


On Tue, 09.12.14 18:26, Lennart Poettering (lennart at poettering.net) wrote:

Przemyslaw,

> > +++ b/units/user at .service.m4.in
> > @@ -0,0 +1,23 @@
> > +#  This file is part of systemd.
> > +#
> > +#  systemd is free software; you can redistribute it and/or modify it
> > +#  under the terms of the GNU Lesser General Public License as published by
> > +#  the Free Software Foundation; either version 2.1 of the License, or
> > +#  (at your option) any later version.
> > +
> > +[Unit]
> > +Description=User Manager for UID %i
> > +After=systemd-user-sessions.service
> > +
> > +[Service]
> > +User=%i
> > +PAMName=systemd-user
> > +Type=notify
> > +ExecStart=- at rootlibexecdir@/systemd --user
> > +Slice=user-%i.slice
> > +KillMode=mixed
> > +Delegate=yes
> > +m4_ifdef(`HAVE_SMACK',
> > +Capabilities=cap_mac_admin=i
> > +SecureBits=keep-caps
> > +)

I have reverted the last bit above again, since it broke bootups in
nspawn machines. I figure the CAP_MAC_ADMIN capability is missing from
the bounding set in an nspawn, and that breaks the caps logic here.

We should find another solution for this. I wanted to get 218 out of
the door, hence I reverted this bit for now, but we really should fine
a longer term solution for this.

I build systemd with SMACK on, but turned off in the kernel. 

Any suggestions what we can do here?

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list