[systemd-devel] [PATCH] bus-proxy: cloning smack label
Karol Lewandowski
k.lewandowsk at samsung.com
Tue Dec 16 09:07:14 PST 2014
On 2014-12-10 22:37, Lennart Poettering wrote:
> On Tue, 09.12.14 18:26, Lennart Poettering (lennart at poettering.net) wrote:
>
> Przemyslaw,
>
>>> +++ b/units/user at .service.m4.in
>>> @@ -0,0 +1,23 @@
>>> +# This file is part of systemd.
>>> +#
>>> +# systemd is free software; you can redistribute it and/or modify it
>>> +# under the terms of the GNU Lesser General Public License as published by
>>> +# the Free Software Foundation; either version 2.1 of the License, or
>>> +# (at your option) any later version.
>>> +
>>> +[Unit]
>>> +Description=User Manager for UID %i
>>> +After=systemd-user-sessions.service
>>> +
>>> +[Service]
>>> +User=%i
>>> +PAMName=systemd-user
>>> +Type=notify
>>> +ExecStart=- at rootlibexecdir@/systemd --user
>>> +Slice=user-%i.slice
>>> +KillMode=mixed
>>> +Delegate=yes
>>> +m4_ifdef(`HAVE_SMACK',
>>> +Capabilities=cap_mac_admin=i
>>> +SecureBits=keep-caps
>>> +)
>
> I have reverted the last bit above again, since it broke bootups in
> nspawn machines. I figure the CAP_MAC_ADMIN capability is missing from
> the bounding set in an nspawn, and that breaks the caps logic here.
>
> We should find another solution for this. I wanted to get 218 out of
> the door, hence I reverted this bit for now, but we really should fine
> a longer term solution for this.
>
> I build systemd with SMACK on, but turned off in the kernel.
>
> Any suggestions what we can do here?
ConditionSecurity=smack instead of HAVE_SMACK would work, but it would
also require separate unit for non-smack case, which is crap. No easy
solutions come to my mind right now, unfortunately...
Cheers,
--
Karol Lewandowski, Samsung R&D Institute Poland
More information about the systemd-devel
mailing list