[systemd-devel] SMACK runtime vs build-time checks? (aka: tmp.mount broke my boot)
Karel Zak
kzak at redhat.com
Tue Oct 27 02:35:36 PDT 2015
On Sun, Oct 18, 2015 at 12:22:15PM +0200, Kay Sievers wrote:
> On Sun, Oct 18, 2015 at 6:01 AM, Mantas Mikulėnas <grawity at gmail.com> wrote:
> > So far all existing SELinux and SMACK options had runtime checks – if
> > systemd was built with +SMACK but the kernel wasn't, it still worked fine.
> > (Arch uses such a configuration.)
> >
> > But then https://github.com/systemd/systemd/issues/1571 added an option to
> > tmp.mount which only depends on the build-time option, which creates
> > problems when booting a non-SMACK kernel...
> >
> > Any ideas on how to fix it? All previous such fixes were for API filesystems
> > in mount-setup.c and could do flexible checks, but that clearly won't work
> > for mount units.
>
> I have reverted it. It needs a different solution.
I'm not sure how systemd mounts /tmp, but if you have mount(8) with
smack (util-linux --with-smack) and you have kernel with disabled
smack than mount(8) removes smack mount options before it calls
mount(2) syscall.
It means that your fstab is always valid independently on your kernel.
The same we use for SELinux.
Karel
--
Karel Zak <kzak at redhat.com>
http://karelzak.blogspot.com
More information about the systemd-devel
mailing list