[systemd-devel] [PATCH v2 1/2] Smack - relabel directories and files created by systemd

[Zbigniew Jędrzejewski-Szmek]

On Wed, Feb 19, 2014 at 04:17:15PM +0100, Łukasz Stelmach wrote:
> It was <2014-02-19 śro 16:05>, when Zbigniew Jędrzejewski-Szmek wrote:
> > On Wed, Feb 19, 2014 at 03:44:32PM +0100, Łukasz Stelmach wrote:
> >> How to have support for more than one security fw reasonably
> >> compiled in? (I think this is the moment to create the pattern).
> > Why not? It would be rather constraining for a distribution which wants
> > to support more than one. systemd should just perform the steps necessary
> > for all compiled frameworks compiled in, silently ignoring failures coming
> > from missing frameworks.
> 
> Hmm... silent ignoring makes things hard to debug.
 
Verbose failure is that what is done currently. (In general, I'm sure
that there are various places where stuff could be improved). When
systemd is started, it'll try to initialize SELinux, AppArmor, etc. If
there's no configuration for a specific LSM, it is silently
ignored. If there is configuration, but it is cannot be loaded, errors
are printed. Likewise for unit files: if specific directives cannot be
executed, warnings are printed. Depending on the specific directive,
this can result in continued execution or in an error. If support for
a specific security framework is not compiled into systemd, warnings
are printed.

> The most robust way for systemd is:
> 1) to check in runtime which frameworks are supported,
We have use_selinux(), use_apparmor(), use_smack().

> 2) to attempt an action for every one of them,
> 3) to return an error if ANY of the actions fail.

In general yes, but different frameworks need hooks in different places.
So we generally insert a call to a function specific to a framework,
and inside this function, a use_*() test is performed, and suitably,
either nothing is done or the setup is performed. If an error happens,
it is up to this function to decide whether silent failure, warning,
or an error are warranted.

Zbyszek