summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-01-31core: fix selinux check for reloadEvgeny Vereshchagin
Fixes: -bash-4.3# echo 1 >/sys/fs/selinux/enforce -bash-4.3# runcon -t systemd_test_start_t systemctl start hola -bash-4.3# sesearch --allow -s systemd_test_reload_t -c service Found 1 semantic av rules: allow systemd_test_reload_t systemd_unit_file_t : service reload ; -bash-4.3# runcon -t systemd_test_reload_t systemctl reload hola Failed to reload hola.service: Access denied See system logs and 'systemctl status hola.service' for details. -bash-4.3# journalctl -b | grep -i user_avc | grep reload USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/systemd/system/hola.service" cmdline="systemctl reload hola" scontext=unconfined_u:unconfined_r:systemd_test_reload_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service See https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl#Documentation
2016-01-31tests: add test-selinux-checksEvgeny Vereshchagin
2016-01-30Merge pull request #2469 from keszybz/resolved-2Lennart Poettering
Resolved 2
2016-01-29Merge pull request #2478 from grawity/fix/touch-modeZbigniew Jędrzejewski-Szmek
basic: fix touch() creating files with 07777 mode
2016-01-29basic: fix touch() creating files with 07777 modeMantas Mikulėnas
mode_t is unsigned, so MODE_INVALID < 0 can never be true. This fixes a possible DoS where any user could fill /run by writing to a world-writable /run/systemd/show-status.
2016-01-29man: reword sentenceZbigniew Jędrzejewski-Szmek
2016-01-29resolved: log server type when switching serversZbigniew Jędrzejewski-Szmek
I'm not defining _DNS_SERVER_TYPE_MAX/INVALID as usual in the enum, because it wouldn't be used, and then gcc would complain that various enums don't test for _DNS_SERVER_TYPE_MAX. It seems better to define the macro rather than add assert_not_reached() in multiple places.
2016-01-29resolved: add macro to compare sized fieldsZbigniew Jędrzejewski-Szmek
For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29resolve-host: add option to list protocolsZbigniew Jędrzejewski-Szmek
2016-01-29resolve-host: allow specifying type as TYPEnnZbigniew Jędrzejewski-Szmek
This mirrors the behaviour of host and makes the conversion to and from string symmetrical.
2016-01-29test-tables: ellide boring parts of sparse mappingsZbigniew Jędrzejewski-Szmek
2016-01-29test-resolve-tables: new "test", useful to print mappingsZbigniew Jędrzejewski-Szmek
2016-01-29resolved: calculate and print tags for DNSKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-29Merge pull request #2474 from poettering/doc-fix-2189Martin Pitt
man: document special considerations when mixing templated service un…
2016-01-29man: document special considerations when mixing templated service units and ↵Lennart Poettering
DefaultDependencies=no Fixes #2189.
2016-01-29Merge pull request #2465 from poettering/systemctl-chrootDaniel Mack
Fix for #2015
2016-01-29Merge pull request #2472 from poettering/mini-fixesDaniel Mack
Two mini fixes
2016-01-29systemctl: actually honour the try-reload-or-restart verb aabf5d4243408 promisedLennart Poettering
The verb entry got lost in the ultimate commit.
2016-01-29systemctl: make most systemctl commands NOPs in a chroot() environmentLennart Poettering
Fixes #2015
2016-01-29systemctl: consider a chroot() environment always offlineLennart Poettering
2016-01-29basic: when parsing verb command lines, optionally shortcut them in chroot() ↵Lennart Poettering
environments This adds some basic infrastructure in order to fix #2015.
2016-01-29man: document which section the configuration settings of timesyncd.conf ↵Lennart Poettering
belong into
2016-01-29man: actually say which section resolv.conf's setting should be placed inLennart Poettering
2016-01-29build-sys: install systemd-resolve in /usr/binLennart Poettering
The command has a man page now and is public, hence add it to /usr/bin.
2016-01-28Merge pull request #2466 from poettering/nspawn-journalZbigniew Jędrzejewski-Szmek
Two small nspawn fixes
2016-01-28Merge pull request #2464 from poettering/reload-or-try-restartZbigniew Jędrzejewski-Szmek
Fix for #688
2016-01-28resolved: expand flags field in DNSKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: convert TLSA fields to stringZbigniew Jędrzejewski-Szmek
Example output: _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256
2016-01-28resolved: OPENPGPKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: TLSA recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: add alignment to base64Zbigniew Jędrzejewski-Szmek
We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2016-01-28man: force space in cmdsynopsisZbigniew Jędrzejewski-Szmek
Docbook renders the man page as "[OPTIONS]--type" without it.
2016-01-28resolved: emit full path to file we failed to writeZbigniew Jędrzejewski-Szmek
Otherwise it's unclear if it's /etc/resolv.conf or some other file that is meant.
2016-01-28nspawn: make sure --link-journal=host may be used twice in a rowLennart Poettering
Fixes #2186 This fixes fall-out from 574edc90066c3faeadcf4666928ed9b0ac409c75.
2016-01-28nspawn: make journal linking non-fatal in try and auto modesLennart Poettering
Fixes #2091
2016-01-28systemctl: rename "reload-or-try-restart" verb to "try-reload-or-restart"Lennart Poettering
But also keep the old name as (undocumented) compatibility around. The reload-or-try-restart was documented to be a NOP if the unit is not running, since the previous commits this is also implemented. The old name suggests that the "try" logic only applies to restarting. Fix this, by moving the "try-" to the front, to indicate that the whole option is a NOP if the service isn't running.
2016-01-28systemctl: improve message when a job fails with a JOB_INVALID stateLennart Poettering
This result can only happen if the job was a reload job for an inactive unit. Make the error message actually say that.
2016-01-28core: when propagating reload jobs, downgrade them to try-reloadLennart Poettering
Otherwise we might end up generating jobs that fail immediately. This follows the same logic that restart propagation follows.
2016-01-28core: when determining system state, don't bother with JOB_TRY_RESTARTLennart Poettering
When we determine the current system state we check whether units like emergency.target are running or a job that results in them being run is queued. However, this is not the case for JOB_TRY_RESTART, since that's a NOP if the unit has not been running before. Hence, don't bother with checking for that job type.
2016-01-28core: make sure "systemctl reload-or-try-restart is actually a noop if a ↵Lennart Poettering
unit is not running This makes sure we follow the same basic logic for try-restart if we have a try-reload. Fixes #688
2016-01-28man: stop documenting legacy RedHatismsLennart Poettering
We generally document only the supported verbs, but not the compatibility verbs we also support, in order to keep the documentation minimal.
2016-01-28Merge pull request #2463 from poettering/machined-tty-fixDaniel Mack
Fixes for the service TTY reset logic and other stuff
2016-01-28basic: getauxval(AT_RANDOM) is apparently not necessarily alignedLennart Poettering
Let's make sure we read it in a way compatible with non-aligned memory. Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812928
2016-01-28systemctl: don't make up unit states, and don't eat up errors to eagerlyLennart Poettering
When checking a unit's state, don't ignore errors too eagerly, but generate proper error messages. Also, don't synthesize an "unknown" state on error, but let the operation file. If a unit file isn't loaded treat this as "inactive" as that's effectively what it means.
2016-01-28systemctl: don't mangle unit names in check_unit_generic()Lennart Poettering
As it turns out all callers of check_unit_generic() already mangle unit names, or get the unit names directly from PID 1 (and hence arein normalized form anyway), hence there's no point in mangling then...
2016-01-28shared: meanor clean-ups for logs-show.cLennart Poettering
Some minor simplifications. Shouldn't change codepaths.
2016-01-28core: don't reset /dev/console if stdin/stdout/stderr as passed as fd in a ↵Lennart Poettering
transient service Otherwise we might end resetting /dev/console all the time when a transient service starts or stops. Fixes #2377 Fixes #2198 Fixes #2061
2016-01-28doc: improved wording in some placesJan Engelhardt
Avoid "mountpoint mounted" (word repetition), "queriable" (no match in m-w.com and dict.cc).
2016-01-28man: try to repair some nonsensical paragraphJan Engelhardt
2016-01-28man: top-align cell text for large tablesJan Engelhardt