summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2010-08-03Systemd is causing mislabeled devices to be created and then attempting to ↵Daniel J Walsh
read them. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/28/2010 05:57 AM, Kay Sievers wrote: > On Wed, Jul 28, 2010 at 11:43, Lennart Poettering > <lennart@poettering.net> wrote: >> On Mon, 26.07.10 16:42, Daniel J Walsh (dwalsh@redhat.com) wrote: >>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file >>> type=1400 audit(1280174589.476:7): avc: denied { read } for pid=1 >>> comm="systemd" name="autofs" dev=devtmpfs ino=9482 >>> scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file >>> type=1400 audit(1280174589.476:8): avc: denied { read } for pid=1 >>> comm="systemd" name="autofs" dev=devtmpfs ino=9482 >>> scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file >>> >>> Lennart, we talked about this earlier. I think this is caused by the >>> modprobe calls to create /dev/autofs. Since udev is not created at the >>> point that init loads the kernel modules, the devices get created with >>> the wrong label. Once udev starts the labels get fixed. >>> >>> I can allow init_t to read device_t chr_files. >> >> Hmm, I think a cleaner fix would be to make systemd relabel this device >> properly before accessing it? Given that this is only one device this >> should not be a problem for us to maintain, I think? How would the >> fixing of the label work? Would we have to spawn restorecon for this, or >> can we actually do this in C without too much work? > > I guess we can just do what udev is doing, and call setfilecon(), with > a context of an earlier matchpathcon(). > > Kay > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel Here is the updated patch with a fix for the labeling of /dev/autofs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxQMyoACgkQrlYvE4MpobNviACfWgxsjW2xzz1qznFex8RVAQHf gIEAmwRmRcLvGqYtwQaZ3WKIg8wmrwNk =pC2e
2010-08-03socket: Allow selection of TCP Congestion Avoidance algorithm to socketTomasz Torcz
Hi, attached path extends socket configurables with another knob - TCP Congestion Avoidance selection. Linux implements handful of those, useful in various situations. For example, TCP Low Priority may be used by FTP service to gracefully yield bandwidth for more important TCP/IP streams. Until recently TCP_CONGESTION was Linux-specific, recently FreeBSD 8 and OpenSolaris gained compatible support.
2010-07-24telinit: forward to upstart, if not booted with systemdsystemd/v4Lennart Poettering
2010-07-24systemctl: don't use the systemd bus to talk to upstartLennart Poettering
2010-07-24systemctl: don't hit an assert when we are run from a non-systemd bootLennart Poettering
2010-07-24main: disable NSS disabling logic for now, since this is incompatible with rpmLennart Poettering
2010-07-24systemctl: fold systemd-install into systemctlLennart Poettering
2010-07-23systemctl: support force-reload and condrestart as aliases for ↵Lennart Poettering
reload-or-try-restart
2010-07-23install: default to minimal realization modeLennart Poettering
2010-07-23systemctl: accept -p more than onceLennart Poettering
2010-07-23socket: SELinux support for socket creation.Daniel J Walsh
It seems to work on my machine. /proc/1/fd/20 system_u:system_r:system_dbusd_t:s0 /proc/1/fd/21 system_u:system_r:avahi_t:s0 And the AVC's seem to have dissapeared when a confined app trys to connect to dbus or avahi. If you run with this patch and selinux-policy-3.8.8-3.fc14.noarch You should be able to boot in enforcing mode.
2010-07-23sshd, tmux and others are broken when /dev/pts is mounted with "-o nodev"Robert "arachnist" Gerus
2010-07-22build-sys: fix compatibility with vala 0.9Lennart Poettering
2010-07-21service: save/restore status text stringLennart Poettering
2010-07-21job: make sure restart jobs are readded to the run queue after conversion to ↵Lennart Poettering
start jobs
2010-07-21unit: deduce following unit value dynamically instead of statically, to ↵Lennart Poettering
avoid dangling pointers
2010-07-21pam: remove only sessions we ourselves created in the first placeLennart Poettering
2010-07-21load: make sure that unit files in /etc/ always take precedence, even over ↵Lennart Poettering
link targets, to make them easily overrdiable
2010-07-21unit: allow symlinking unit files to /dev/nullLennart Poettering
2010-07-21exec: extend variable substitution to support splitting variable values into ↵Lennart Poettering
seperate arguments
2010-07-20sysv: do not add sysv services that are not enabled in /etc/rcN.d/ to ↵Lennart Poettering
network.target or other LSB-style Provides: targets
2010-07-20hostname: properly deal with unset hostname in fedora configurationLennart Poettering
2010-07-20systemctl: always disable color when output goes into a fileLennart Poettering
2010-07-20manager: write serialization to /dev/.systemd/ instead of /dev/shmLennart Poettering
2010-07-20socket: fix access mode verification of FIFOsLennart Poettering
2010-07-20device: do not merge devicesLennart Poettering
Don't try to merge devices that have been created via dependencies when they appear in the system and can be recognized as the same. Instead, simply continue to maintain them independently of each other, however with the same state cycle. Why? Because otherwise we'd have a hard time to seperate the dependencies after the devices are unplugged again and we hence cannot be sure anymore that next time the device is plugged in it will carry the same names. Example: if one depndency refers to dev-sda.device and another one to dev-by-id-xxxyyy.device we only learn at time of plug in of the device that it is actually the same device that was ment. In the moment the device is unplugged again we won't know anymore their relation to each other and the next time the harddisk is plugged it might even appear as dev-by-id-xxxyyy.device and dev-sdb.service. To ensure the dependencies continue to have the meaning they were intended to have let's hence keep the .device objects seperate all the time, even when they are plugged in. This patch also introduces a new Following= property which points from the various .device units of a specific device to the main .device unit for it. This can be used by the client side to figure out the relation of the .device units to each other and even filter units from display.
2010-07-19systemctl: introduce reset-maintenance commandLennart Poettering
2010-07-18install: optionally remove all symlinks from configuration tree recursivelyLennart Poettering
2010-07-17execute: bump up log level of executed processes that failedLennart Poettering
2010-07-17job: timeout every job independently of the unitLennart Poettering
2010-07-17unit: consider only_by_dependency setting when clients ask whether a unit is ↵Lennart Poettering
startable
2010-07-17systemctl: extend list-units output a littleLennart Poettering
2010-07-17unit: introduce OnFailure dependencies to activate units on failure of other ↵Lennart Poettering
units, as a way to implement an automatic rescue shell
2010-07-17systemctl: warn when operating on service files that changed on disk but ↵Lennart Poettering
haven't been reloaded
2010-07-16device: rename 'available' state to 'plugged'Lennart Poettering
2010-07-16units: introduce smartcard.targetLennart Poettering
2010-07-16systemctl: always show units with active jobs in list-units outputLennart Poettering
2010-07-16socket: prepare for proper selinux labelling of socketsLennart Poettering
2010-07-16socket: don't allow mixing of accepting and non-accepting sockets in the ↵Lennart Poettering
same unit
2010-07-16service: refuse to start services that are configured for per-connection ↵Lennart Poettering
instantiation to start without a socket
2010-07-16unit: allow units to have more than one instance idLennart Poettering
2010-07-16path,timer: order units after sysinit by defaultLennart Poettering
2010-07-16target: if the user configured a manual ordering between target units and ↵Lennart Poettering
the unit they require don't contradict that automatically
2010-07-16main: disable nscd if we can to avoid deadlock, just in caseLennart Poettering
2010-07-16mount-setup: consider a few file systems API mounts and ignore themLennart Poettering
2010-07-16install: refuse installation of symlinked unitsLennart Poettering
2010-07-16systemctl: add to command for virtualizing the dependency tree with graphvizLennart Poettering
2010-07-14cgls: rename source file to cgls.c, since we have no prefix for any of the ↵Lennart Poettering
other files either
2010-07-14socket: don't close sockets when activating per-connection unitsLennart Poettering
2010-07-13systemctl: introduce try-restart and reload-or-restart commandsLennart Poettering
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-11-14 03:32:52 +0000