Age | Commit message (Collapse) | Author | |
---|---|---|---|
2010-09-23 | readahead: implement minimal readahead logic based on fanotify(), mincore() ↵ | Lennart Poettering | |
and readahead() | |||
2010-09-17 | ask-password: popup notification when we ask for a password | Lennart Poettering | |
2010-09-17 | ask-password: add minimal framework to allow services query SSL/harddisk ↵ | Lennart Poettering | |
passphrases from the user | |||
2010-09-14 | build-sys: bump versionsystemd/v10 | Lennart Poettering | |
2010-09-06 | systemctl: make --version a little bit more verbose | Lennart Poettering | |
2010-09-03 | build-sys: prepare new releasesystemd/v9 | Lennart Poettering | |
2010-08-26 | build-sys: show audit/selinux in summary | Lennart Poettering | |
2010-08-25 | build-sys: prepare release v8systemd/v8 | Lennart Poettering | |
2010-08-11 | main: disable nscd properly, if possible | Lennart Poettering | |
2010-08-11 | audit,utmp: implement audit logic and rip utmp stuff out of the main daemon ↵ | Lennart Poettering | |
and into a helper binary | |||
2010-08-10 | build-sys: prepare release 7systemd/v7 | Lennart Poettering | |
2010-08-06 | build-sys: prepare new releasesystemd/v6 | Lennart Poettering | |
2010-08-04 | prepare new releasesystemd/v5 | Lennart Poettering | |
2010-08-03 | Systemd is causing mislabeled devices to be created and then attempting to ↵ | Daniel J Walsh | |
read them. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/28/2010 05:57 AM, Kay Sievers wrote: > On Wed, Jul 28, 2010 at 11:43, Lennart Poettering > <lennart@poettering.net> wrote: >> On Mon, 26.07.10 16:42, Daniel J Walsh (dwalsh@redhat.com) wrote: >>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file >>> type=1400 audit(1280174589.476:7): avc: denied { read } for pid=1 >>> comm="systemd" name="autofs" dev=devtmpfs ino=9482 >>> scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file >>> type=1400 audit(1280174589.476:8): avc: denied { read } for pid=1 >>> comm="systemd" name="autofs" dev=devtmpfs ino=9482 >>> scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file >>> >>> Lennart, we talked about this earlier. I think this is caused by the >>> modprobe calls to create /dev/autofs. Since udev is not created at the >>> point that init loads the kernel modules, the devices get created with >>> the wrong label. Once udev starts the labels get fixed. >>> >>> I can allow init_t to read device_t chr_files. >> >> Hmm, I think a cleaner fix would be to make systemd relabel this device >> properly before accessing it? Given that this is only one device this >> should not be a problem for us to maintain, I think? How would the >> fixing of the label work? Would we have to spawn restorecon for this, or >> can we actually do this in C without too much work? > > I guess we can just do what udev is doing, and call setfilecon(), with > a context of an earlier matchpathcon(). > > Kay > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel Here is the updated patch with a fix for the labeling of /dev/autofs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxQMyoACgkQrlYvE4MpobNviACfWgxsjW2xzz1qznFex8RVAQHf gIEAmwRmRcLvGqYtwQaZ3WKIg8wmrwNk =pC2e | |||
2010-07-23 | socket: SELinux support for socket creation. | Daniel J Walsh | |
It seems to work on my machine. /proc/1/fd/20 system_u:system_r:system_dbusd_t:s0 /proc/1/fd/21 system_u:system_r:avahi_t:s0 And the AVC's seem to have dissapeared when a confined app trys to connect to dbus or avahi. If you run with this patch and selinux-policy-3.8.8-3.fc14.noarch You should be able to boot in enforcing mode. | |||
2010-07-22 | build-sys: prepare release 4 | Lennart Poettering | |
2010-07-22 | build-sys: fix compatibility with vala 0.9 | Lennart Poettering | |
2010-07-13 | build-sys: bump releasesystemd/v3 | Lennart Poettering | |
2010-07-12 | cgroup: reimplement the last bit of libcgroup functionality natively | Lennart Poettering | |
2010-07-12 | build-sys: require udev 160 to fix notify socket abstract namespace sockaddr ↵ | Lennart Poettering | |
length | |||
2010-07-10 | build-sys: drop special name hack for dbus.service since a native service ↵ | Lennart Poettering | |
file is now shipped upstream dbus | |||
2010-07-09 | build-sys: bump version | Lennart Poettering | |
2010-07-09 | build-sys: disable inline warnings | Lennart Poettering | |
2010-07-07 | build-sys: prepare release 1systemd/v1 | Lennart Poettering | |
2010-06-21 | pam: implement systemd PAM module and generelize cgroup API for that a bit | Lennart Poettering | |
2010-06-18 | build-sys: speed up build via convenience library | Lennart Poettering | |
2010-06-17 | gcc: disable warn_unused_result attribute warnings | Lennart Poettering | |
2010-06-17 | fix --nonet calls to xsltproc | Pavol Rusnak | |
Also, fix spelling of openSUSE | |||
2010-06-17 | build-sys: pass -fno-strict-aliasing by default | Lennart Poettering | |
2010-06-16 | build-sys: fix configure output without libwrap | Lennart Poettering | |
2010-06-16 | service: optionally call into PAM when dropping priviliges | Lennart Poettering | |
2010-06-16 | socket: add optional libwrap support | Lennart Poettering | |
2010-06-09 | build-sys: enable bz2 tarballs | Lennart Poettering | |
2010-06-07 | build-sys: make make distcheck work again | Lennart Poettering | |
2010-06-07 | dbus: install bus activation file | Lennart Poettering | |
2010-06-02 | build-sys: call AC_OUTPUT without any arguments | Christian Ruppert | |
2010-06-02 | build-sys: default rootdir to prefix | Lennart Poettering | |
2010-06-02 | build-sys: install stuff intended for / into ${rootdir} which is ↵ | Lennart Poettering | |
configurable with --with-rootdir= | |||
2010-05-22 | device: make use of new libudev tags logic | Lennart Poettering | |
2010-05-20 | units: SUSE support | Kay Sievers | |
2010-05-18 | build-sys: remove vala generated sources only when valac is around | Lennart Poettering | |
2010-05-17 | cgroup: don't require debug cgroup controller anymore, use name hierarchy ↵ | Lennart Poettering | |
instead | |||
2010-05-17 | man: replace syslog name in man page by configured name | Lennart Poettering | |
2010-05-17 | build-sys: set M4_DISTRO_FLAG from the configure script | Lennart Poettering | |
2010-05-17 | build-sys: fix --distro= configure explations | Lennart Poettering | |
2010-05-17 | units: add distribution-specific units | Lennart Poettering | |
2010-05-16 | build-sys: provide distro-agnostic defaults for distro-specific settings | Lennart Poettering | |
2010-05-16 | units: automatically generated syslog.target | Lennart Poettering | |
2010-05-16 | build-sys: move source files to subdirectory | Lennart Poettering | |
2010-05-16 | build-sys: use autoconf'igured mkdir/ln/sed programs | Lennart Poettering | |