[systemd-devel] system failing to boot with SMACK/IMA enabled.
Lennart Poettering
lennart at poettering.net
Tue Mar 20 10:30:57 UTC 2018
On Mi, 14.03.18 23:05, Martin Townsend (mtownsend1973 at gmail.com) wrote:
> Hi,
>
> I'm getting the following log when booting with IMA/EVM and SMACK
> enabled. Before I start delving into IMA and SMACK does anyone know
> of any fixes that have gone into systemd that would fix the problem
> I'm seeing below. I've not seen anything by looking through git log
> or on the internet but may have missed something.
>
> I'm using systemd 229 with a 4.9 kernel. The SMACK policy is pretty
> much the default. If I boot with just IMA/EVM enabled it's fine and I
> can check signatures etc with evmctl. If I boot with an image that
> hasn't been signed and just SMACK then it's fine. If I do both I get
> the following:
Uh, we generally rely on external patches for SMACK, IMA, SELinux and
AppArmor management, none of us systemd maintainers are true MAC
gurus.
I'd recommend asking the IMA/SMACK folks for help about this.
Not sure why mount() or /dev/shm would return ENOENT though, except if
SMACK actaully can generate that when the smackfsroot=* mount option
we use is not available. Dunno.
Sorry that I can' be more helpful on this,
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list