[systemd-devel] [PATCH] bus-proxy: cloning smack label
k.lewandowsk at samsung.com
Tue Dec 16 09:07:14 PST 2014
On 2014-12-10 22:37, Lennart Poettering wrote:
> On Tue, 09.12.14 18:26, Lennart Poettering (lennart at poettering.net) wrote:
>>> +++ b/units/user at .service.m4.in
>>> @@ -0,0 +1,23 @@
>>> +# This file is part of systemd.
>>> +# systemd is free software; you can redistribute it and/or modify it
>>> +# under the terms of the GNU Lesser General Public License as published by
>>> +# the Free Software Foundation; either version 2.1 of the License, or
>>> +# (at your option) any later version.
>>> +Description=User Manager for UID %i
>>> +ExecStart=- at rootlibexecdir@/systemd --user
> I have reverted the last bit above again, since it broke bootups in
> nspawn machines. I figure the CAP_MAC_ADMIN capability is missing from
> the bounding set in an nspawn, and that breaks the caps logic here.
> We should find another solution for this. I wanted to get 218 out of
> the door, hence I reverted this bit for now, but we really should fine
> a longer term solution for this.
> I build systemd with SMACK on, but turned off in the kernel.
> Any suggestions what we can do here?
ConditionSecurity=smack instead of HAVE_SMACK would work, but it would
also require separate unit for non-smack case, which is crap. No easy
solutions come to my mind right now, unfortunately...
Karol Lewandowski, Samsung R&D Institute Poland
More information about the systemd-devel