[systemd-devel] systemd fails to boot OLPC XO-1.5

Daniel Drake dsd at laptop.org
Mon May 9 01:52:17 PDT 2011


On 7 May 2011 23:43, Daniel Drake <dsd at laptop.org> wrote:
> On 7 May 2011 23:30, Kay Sievers <kay.sievers at vrfy.org> wrote:
>> You need capabilities in your kernel, or comment its use out, in the
>> service file.
>
> I think I have capabilities in my kernel: CONFIG_SECURITY=y which
> means security/capability.c gets compiled in. Were you thinking of
> something else?
>
> Commenting out CapabilityBoundingSet from systemd-kmsg-syslogd.service
> does fix the issue and allow boot to continue. Thanks!
>
> Is this a systemd bug (maybe it should ignore CapabilityBoundingSet
> lines when capabilities aren't available?) or do I need to decide
> between hacking systemd unit files or going with this requirement?

I looked further.

systemd.exec man page pointed me to capabilities(7) man page. That man
page says:

       Removing  capabilities  from the bounding set is only supported if file
       capabilities are compiled into the  kernel  (CONFIG_SECURITY_FILE_CAPA-
       BILITIES).

That option doesn't exist in the kernel any more, it was removed by:

commit b3a222e52e4d4be77cc4520a57af1a4a0d8222d1
Author: Serge E. Hallyn <serue at us.ibm.com>
Date:   Mon Nov 23 16:21:30 2009 -0600

    remove CONFIG_SECURITY_FILE_CAPABILITIES compile option

That commit made it be unconditionally on, in agreement with this part
of security/Makefile in modern kernels:

    # always enable default capabilities
    obj-y					+= commoncap.o

So, I don't think its possible to build a kernel without capabilities
support. The problem must be something else (but commenting out those
CapabilityBoundingSet lines does work around the problem). Any ideas /
next debugging steps?

I filed a bug for the /sys/kernel/security problem:
https://bugs.freedesktop.org/show_bug.cgi?id=36993

Thanks,
Daniel


More information about the systemd-devel mailing list