| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
Turns out cpuset needs explicit initialization before we could make use
of it. Thus mounting cpuset with cpu/cpuacct would make it impossible to
just create a group in "cpu" and start it.
|
|
understand it
Instead of doing hand optimized fd bisect arrays just use plain old
hashmaps. Now I can understand my own code again. Yay!
As a side effect this should fix some bad memory accesses caused by
accesses after mmap(), introduced in 189.
|
|
|
|
|
|
|
|
|
|
Note: I did s/MANAGER/SYSTEMD/ everywhere, even though it makes the
patch quite verbose. Nevertheless, keeping MANAGER prefix in some
places, and SYSTEMD prefix in others would just lead to confusion down
the road. Better to rip off the band-aid now.
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=858266
|
|
|
|
|
|
object actually has an exec context
|
|
|
|
|
|
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=54176
|
|
|
|
|
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch adds the ability to look at the calling process that is trying to
do dbus calls into systemd, then it checks with the SELinux policy to see if
the calling process is allowed to do the activity.
The basic idea is we want to allow NetworkManager_t to be able to start and
stop ntpd.service, but not necessarly mysqld.service.
Similarly we want to allow a root admin webadm_t that can only manage the
apache environment. systemctl enable httpd.service, systemctl disable
iptables.service bad.
To make this code cleaner, we really need to refactor the dbus-manager.c code.
This has just become a huge if-then-else blob, which makes doing the correct
check difficult.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5
lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco
=yops
-----END PGP SIGNATURE-----
|
|
|
|
In many cases this might have a negative effect since we drop escaping
from strings where we better shouldn't have dropped it.
If unescaping makes sense for some settings we can readd it later again,
on a per-case basis.
https://bugs.freedesktop.org/show_bug.cgi?id=54522
|
|
lacking perms, deal with it
|
|
When the new PID is invoked the journal socket from the initrd might
still be around. Due to the default log target being journal we'd log to
that initially when the new main systemd initializes even if the kernel
command line included a directive to redirect systemd's logging
elsewhere.
With this fix we initially always log to kmsg now, if we are PID1, and
only after parsing the kernel cmdline try to open the journal if that's
desired.
(The effective benefit of this is that SELinux performance data is now
logged again to kmsg like it used to be.)
|
|
Properly tell the kernel at bootup, and any later time zone changes,
the actual system time zone.
Things like the kernel's FAT filesystem driver needs the actual time
zone to calculate the proper local time to use for the on-disk time
stamps.
https://bugzilla.redhat.com/show_bug.cgi?id=802198
|
|
For setups with many listening sockets the default kernel resource limit
of 1024 fds is not enough. Bump this up to 64K to avoid any limitations
in this regard. We are careful to pass on the kernel default to daemons
however, since normally resource limits are a good to enforce,
especially since select() can't handle fds > 1023.
|
|
spurious event from before
|
|
|
|
src/core/socket.c:588:25: error: overflow in implicit constant conversion
src/core/socket.c:589:17: error: overflow in implicit constant conversion
|
|
and make use of it
|
|
|
|
Add specifier expansion to Path and String conditions.
Specifier expansion for conditions will help create instance
and user session units by allowing us to template conditions
based on the instance or user session parameters.
An example would be a system-wide user session service file
that conditionally runs based on whether a user has the
service configured through a configuration file in ~/.config/.
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=54501
|
|
|
|
times
This only adds the fields to the D-Bus interfaces but doesn't fill them
in with anything useful yet. Gummiboot exposes the necessary bits of
information to use however and as soon as I get my fingers on a proper
UEFI laptop I'll hook up the remaining bits.
Since we want to stabilize the D-Bus interface soon and include it in
the stability promise we should get the last fixes in, hence this change
now.
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=54448
|
|
Let's make sure libselinux doesn't spew to stderr
|
|
|
|
|
|
CAP_SYS_BOOT is missing
The kernel's PID namespaces support reboot(2) just fine, so let's make
use of it if possible.
|
|
The kernel implicitly does sync() anyway, hence there is no need to do
that in userspace explicitly. This makes the "-n" switch to halt(8) a
noop.
|
|
After talking to the cgroup kernel folks at LPC we came to the
conclusion that it is probably a good idea to mount all CPU related
resp. all network related cgroup controllers together, both because they
are good defaults for admins and because this might prepare
for eventual kernel cleanups where the ability to mount them separately
is removed.
|
|
|
|
|
|
|
|
|
|
|
