[systemd-devel] Supervisory Watchdog notification not working when using SmackProcessLabel
Lennart Poettering
lennart at poettering.net
Thu Aug 2 09:25:18 UTC 2018
On Mi, 01.08.18 11:18, Martin Townsend (mtownsend1973 at gmail.com) wrote:
> @@ -728,7 +729,12 @@ static int manager_setup_notify(Manager *m) {
>
> m->notify_fd = fd;
> fd = -1;
> -
> + r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPIN, "*");
> + if (r < 0)
> + log_error_errno(r, "mac_smack_apply_ip_in_fd: %m");
> + r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPOUT, "@");
> + if (r < 0)
> + log_error_errno(r, "mac_smack_apply_ip_out_fd: %m");
> log_debug("Using notification socket %s", m->notify_socket);
> }
>
> Is there a better way of ensuring /run/systemd/notify can be accessed
> by a service with a User defined SMACK label? or is this patch to
> manager_setup_notify sufficient?
Generally, we upstream rely on submitted patches for everything MAC
related. We do not know the various MACs well enough to be able to
maintain this part of our codebase on our own.
Hence, if the patch like the one above is something we are supposed to
merge upstream, then please post this as PR on our systemd github, and
make sure that someone from SMACK upstream (for example Casey) likes
it and says so on the PR.
Thank you,
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list