[systemd-devel] SMACK runtime vs build-time checks? (aka: tmp.mount broke my boot)

Lennart Poettering lennart at poettering.net
Tue Oct 27 07:14:14 PDT 2015


On Tue, 27.10.15 10:35, Karel Zak (kzak at redhat.com) wrote:

> On Sun, Oct 18, 2015 at 12:22:15PM +0200, Kay Sievers wrote:
> > On Sun, Oct 18, 2015 at 6:01 AM, Mantas Mikulėnas <grawity at gmail.com> wrote:
> > > So far all existing SELinux and SMACK options had runtime checks – if
> > > systemd was built with +SMACK but the kernel wasn't, it still worked fine.
> > > (Arch uses such a configuration.)
> > >
> > > But then https://github.com/systemd/systemd/issues/1571 added an option to
> > > tmp.mount which only depends on the build-time option, which creates
> > > problems when booting a non-SMACK kernel...
> > >
> > > Any ideas on how to fix it? All previous such fixes were for API filesystems
> > > in mount-setup.c and could do flexible checks, but that clearly won't work
> > > for mount units.
> > 
> > I have reverted it. It needs a different solution.
> 
> I'm not sure how systemd mounts /tmp, but if you have mount(8) with
> smack (util-linux --with-smack) and you have kernel with disabled
> smack than mount(8) removes smack mount options before it calls
> mount(2) syscall. 
> 
> It means that your fstab is always valid independently on your kernel.
> The same we use for SELinux.  

Yes, we do use /bin/mount for mounting /tmp, so the whole patch
appears unnecessary. I have thus filed an issue about this, so that we
remove the whole feature again if we don't atcually need it:

https://github.com/systemd/systemd/issues/1696

Let's continue discussion there.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list