[systemd-devel] "Failed to determine peer security context: Protocol not available" on kernels with disabled selinux

Lennart Poettering lennart at poettering.net
Wed Nov 11 03:23:39 PST 2015

On Tue, 10.11.15 22:53, Igor Zhbanov (izh1979 at gmail.com) wrote:

> Hi!
> I see lots of messages (with systemd debug enabled) on the kernel with
> selinux disabled:
> systemd[1]: Failed to determine peer security context: Protocol not available
> As I understand, this happen because getsockopt() returns ENOPROTOOPT,
> and systemd
> checks for EOPNOTSUPP.

Hmm, how did you disable selinux/smack here? disabled at compile-time?
or at runtime via a kernel cmldine option like selinux=0?

>         /* Get the peer for socketpair() sockets */
>         b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
>         /* Get the SELinux context of the peer */
>         r = getpeersec(b->input_fd, &b->label);
>         if (r < 0 && r != -EOPNOTSUPP)
>                 log_debug_errno(r, "Failed to determine peer security
> context: %m");

I figure we should wrap this in a mac_selinux_use() check like we do
for the other cases, otherwise we'd mistake a SMACK label for an
selinux one... That would solve the issue at hand.

Will fix.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list