[systemd-devel] Supervisory Watchdog notification not working when using SmackProcessLabel

Martin Townsend mtownsend1973 at gmail.com
Wed Aug 1 10:18:29 UTC 2018


Hi,

I have a service running with a SmackProcessLabel that uses the
supervisory watchdog feature, ie calls sd_notify().  The Watchdog
keeps resetting the service and I get the following in the journal

Jul 27 11:36:11 kernel: audit: type=1400 audit(1532691371.270:34):
lsm=SMACK fn=smack_unix_may_send action=denied subject="apphealthd"
object="_" requested=w pid=466 comm="apphealthd"
path="/run/systemd/notify"

/run/systemd/notify is a socket so I'm guessing sd_notify kicks the
watchdog by writing to this socket.  The problem seems to be that the
socket is labelled with the floor label.

After looking through the code that sets up the notify socket I
quickly patched in some code to set SMACK64IPIN and IPOUT (not sure if
this one is required).

@@ -728,7 +729,12 @@ static int manager_setup_notify(Manager *m) {

                 m->notify_fd = fd;
                 fd = -1;
-
+                r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPIN, "*");
+                if (r < 0)
+                        log_error_errno(r, "mac_smack_apply_ip_in_fd: %m");
+                r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPOUT, "@");
+                if (r < 0)
+                        log_error_errno(r, "mac_smack_apply_ip_out_fd: %m");
                 log_debug("Using notification socket %s", m->notify_socket);
         }

And the audit message has gone.

Is there a better way of ensuring /run/systemd/notify can be accessed
by a service with a User defined SMACK label? or is this patch to
manager_setup_notify sufficient?

Many Thanks in Advance,
Martin.


More information about the systemd-devel mailing list