[systemd-devel] "Failed to determine peer security context: Protocol not available" on kernels with disabled selinux
Lennart Poettering
lennart at poettering.net
Wed Nov 11 03:23:39 PST 2015
On Tue, 10.11.15 22:53, Igor Zhbanov (izh1979 at gmail.com) wrote:
> Hi!
>
> I see lots of messages (with systemd debug enabled) on the kernel with
> selinux disabled:
> systemd[1]: Failed to determine peer security context: Protocol not available
>
> As I understand, this happen because getsockopt() returns ENOPROTOOPT,
> and systemd
> checks for EOPNOTSUPP.
Hmm, how did you disable selinux/smack here? disabled at compile-time?
or at runtime via a kernel cmldine option like selinux=0?
>
> /* Get the peer for socketpair() sockets */
> b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
>
> /* Get the SELinux context of the peer */
> r = getpeersec(b->input_fd, &b->label);
> if (r < 0 && r != -EOPNOTSUPP)
> log_debug_errno(r, "Failed to determine peer security
> context: %m");
I figure we should wrap this in a mac_selinux_use() check like we do
for the other cases, otherwise we'd mistake a SMACK label for an
selinux one... That would solve the issue at hand.
Will fix.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list