[systemd-devel] Does systemd-nspawn support running systemd in a user namespace

[Daniel J Walsh]

We are seeing issues attempting to do this with docker/runc.  Basic
problem is /sys/fs/cgroup/systemd is owned by real root.  Is there
something we need to change in runc, to make this directory owned by
UserNamespace-Root?

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Issues with docker systemd cgroups integration

[Daniel J Walsh]

Expanding this out to systemd-devel mailing list.

On 03/14/2016 01:04 PM, Mrunal Patel wrote:

Hi, Lukas,
We are using systemd cgroups support in docker for Fedora/RHEL and 
seeing some issues.


Here is the flow of the code in docker/runc/libcontainer:
1. We create a Transient Unit setting some properties based on what 
the user passed or defaults.

For e.g. /system.slice/docker-abcd.scope
2. We then manually join other cgroups subsystems such as devices by 
creating the directory
/sys/fs/cgroup/devices/system.slice/docker-abcd.scope. This is done so 
we can support cgroups that aren't directly supported by systemd


To see the code you can refer to 
https://github.com/projectatomic/docker/pull/71/files (In this PR, I 
made the change to always join all the subsystems after creating the 
scope to help with first issue below).



There are two classes of issues that are cropping up (especially under 
load):
1. Sometimes a cgroup isn't joined even though it is passed as a 
property while creating a Transient Unit. For e.g. CPUShares are 
specified, however the transient unit doesn't seem to join

the cpu,cpuacct subsystem.

2. cpu.proc file itself goes missing especitally with the devices 
subsystemd even thought we mkdir the directory and write to the file. 
It is as if the file gets deleted by some other process.


What can we do to fix these issues?

Thanks,
Mrunal


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

[Daniel J Walsh]

On 02/10/2016 05:21 PM, Lennart Poettering wrote:
> On Wed, 10.02.16 16:43, Daniel J Walsh (dwa...@redhat.com) wrote:
>
>>>>> I don't see why one would want to mask systemd-logind.service. If you
>>>>> permit logins and PAM at all, you really need that. 
>>>> If I wanted to add a login program I could enable/unmask these.
>>>> No one runs docker containers as login services, that would require
>>>> getty. 
>>> Well, "machinectl shell", "cron" and all those things do PAM... In
>>> fact the fact that "machinectl shell" goes through PAM and registers
>>> with logind through that is one of the major benefits over naked
>>> "nsenter".
>> I wonder if any of these work correctly inside of a docker container?
>>
>> Can these be customized or do they require systemd as pid 1 inside of
>> the container.  Docker has a "docker exec"
> No, "machinectl shell" requires PID 1 in the container to be systemd.
>
> Unlike "nsenter" (and docker exec, as I presume), "machinectl shell"
> will not try to take a process from the host and patch around in its
> process attributes until it appears to be a process from within the
> container (by joining namespaces, cgroups, uids, gids, selinux labels,
> audit creds, …). It will instead allocate a pty in the container and
> then use ask systemd inside the container using the "transient units"
> API to spawn a shell on it. It then does nothing else than forward
> data between this pty and the tty it was invoked from. 
>
> This way the only processes you see in the container have actually
> been started by systemd inside the container. They are properly
> tracked and maintained like any other process invoked in the container
> by the systemd instance that is running it. They inherit the process
> attributes from PID 1 in the container, and the PPID reported for them
> will actually be 1 as it should. – They are not these weird alien
> processes like nsenter creates that are half-way part of the host
> system and half-way member of the container, for which PPID returns 0
> in the container, because they actually don't have a parent process
> inside of the container.
>
> Long story short: "machinectl shell" should work fine even with docker
> containers – as long as systemd runs as PID 1 in them.
>
>>> I added this to the TODO list now.
>> Sounds fine with me.  I went back to the original container and I can
>> remove all of the other modifications, I can live with the warnings at the
>> beginning and remove the /etc/fstab.  We just need to get this into more
>> people hands to see what happens and what breaks. 
> Quite frankly, I don't understand why /etc/fstab is populated at all
> on Fedora by default. It should only exists if there are actual
> external file systems configured in it, and otherwise just not exist.
>
>> This is what I am seeing now with just /etc/fstab removed.
>>
>> Welcome to Fedora 23 (Twenty Three)!
>>
>> Set hostname to <654f7872d331>.
>> dev-hugepages.mount: Cannot add dependency job, ignoring: Unit 
>> dev-hugepages.mount is masked.
>> sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit 
>> sys-fs-fuse-connections.mount is masked.
>> systemd-remount-fs.service: Cannot add dependency job, ignoring: Unit 
>> systemd-remount-fs.service is masked.
>> systemd-logind.service: Cannot add dependency job, ignoring: Unit 
>> systemd-logind.service is masked.
>> getty.target: Cannot add dependency job, ignoring: Unit getty.target
>> is masked.
> Again, there should be no need to mask dev-hugepages.mount and
> getty.target at all. And if you drop /etc/fstab there's no need to
> mask systemd-remount-fs.target either. Please unmask those three
> units!
>
> As soon as my patch to add the ConditionCapability= check to
> sys-fs-fuse-connections.mount you should also be able to unmask that
> unit and get a clean boot.
>
> Lennart
>
I am now masking nothing, just removing /etc/fstab.   We will probably
need to back port the dev-hugepages.mount fix
to rhel7 at some point.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] I want to run systemd inside of a locked down base docker container

[Daniel J Walsh]

On Fedora I see a few services starting up and failing when I run
systemd, I have been able  to disable these
by executing.

RUN systemctl disable sysinit.target remote-fs.target systemd-remount-fs;\
systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service
systemd-udev-settle.service systemd-udev-trigger.service systemd-udevd.service 
systemd-udevd-control.socket systemd-udevd-kernel.socket; \
rm -f /lib/systemd/system/multi-user.target.wants/systemd* 
/lib/systemd/system/multi-user.target.wants/getty*;\
sed -i 's/^enable/disable/g' /lib/systemd/system-preset/* 


Could someone look at these and tell me if I went too far.  I would like to get 
these commands as the default for systemd in the base
RHEL/Fedora and Centos containers.



___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

[Daniel J Walsh]

On 02/10/2016 11:16 AM, Lennart Poettering wrote:
> On Wed, 10.02.16 10:56, Daniel J Walsh (dwa...@redhat.com) wrote:
>
>> On Fedora I see a few services starting up and failing when I run
>> systemd, I have been able  to disable these
>> by executing.
>>
>> RUN systemctl disable sysinit.target remote-fs.target
>> systemd-remount-fs;\
> sysinit.target and systemd-remount-fs.service are static units; they
> cannot be enabled via "systemctl enable" or disabled via "systemctl
> disable". That part should be a NOP and should not have any effect;
> you can drop it.
>
> remote-fs.target has no value either, unless there actually are NFS
> mounts listed in /etc/fstab. I am pretty sure there aren't any for in
> your container, are there? Hence, this really sounds like something
> you can drop too, without any change in behaviour.
I was seeing failed mounts inside the container until I removed these. 
I can
remove these lines to see if the failed mounts come back.  But there
should be nothing
in the container that does a mount, unless someone put bogus stuff in
the Fedora base container.

This is what the dockerfile looks like that I am building and testing
with systemd.
```
Cat Dockerfile

FROMfedora:23
MAINTAINER  Dan Walsh
ENV container docker
RUN dnf -y install httpd; dnf clean all; systemctl enable httpd; systemctl 
disable dnf* dnf-makecache.timer
RUN systemctl disable sysinit.target remote-fs.target systemd-remount-fs;\
systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service
systemd-udev-settle.service systemd-udev-trigger.service systemd-udevd.service 
systemd-udevd-control.socket systemd-udevd-kernel.socket; \
rm -f /lib/systemd/system/multi-user.target.wants/systemd* 
/lib/systemd/system/multi-user.target.wants/getty*;\
sed -i 's/^enable/disable/g' /lib/systemd/system-preset/* 

EXPOSE 80

CMD [ "/sbin/init" ]

```

>> systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service
>> systemd-udev-settle.service systemd-udev-trigger.service
>> systemd-udevd.service systemd-udevd-control.socket
>> systemd-udevd-kernel.socket; \
> The systemd-firstboot service should have no effect unless you
> actually boot with an empty /etc (or more accuratily: unless you
> actually boot with an /etc that lacks /etc/machine-id) . Note that it
> carries a condition ConditionFirstBoot=yes which makes sure that it
> isn't even executed in normal cases. 
I see in the logs systemd complaining about no systemd-firstboot command.
> Masking all the udev stuff is pretty pointless too. These services are
> conditioned out in containers too anyway. There's really no need to
> mask them out. More specifically, they contain
> ConditionPathIsReadWrite=/sys, i.e. are skipped if /sys is read-only,
> which is the way how container managers should set up /sys (it's a big
> security hole to allow containers write access to /sys). My
> recommendation would be to make sure you container manager implements
> these recommendations:
I am just seeing mentions of udev inside of the container, What I don't
want is messages
inside of the journal or bootup that look like systemd is trying to run
firstboot, udev etc.
> https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/
>
> If your container manager follows these guidelines (of which the /sys
> being read-only thing is one), then there should be no special hacks
> necessary in systemd, as it should just work, and detect the slight
> semantica changes of containers correctly and avoid them cleanly.
>
>> rm -f /lib/systemd/system/multi-user.target.wants/systemd*
>> /lib/systemd/system/multi-user.target.wants/getty*;\
> What's the rationale for this? First of all, the getty stuff appears
> entirely unnecessary as getty@.service (which is the only thing
> generally linked from gettys.target these days) contains
> ConditionPathExists=/dev/tty0 which means it's already skipped when
> run on systems lacking a VC (such as containers).
Again, I am seeing getty@ failures inside of the container.
> And the other services you are removing here: what's the point? they
> aren't really optional, that's why they are linked from /usr/lib,
> rather than subject to systemctl enable/disable...
>
>> sed -i 's/^enable/disable/g' /lib/systemd/system-preset/* 
> Why would this matter?
We don't want excess services running inside of a docker container.  I
only want systemd/journald and any services
that I enable in the container.   Not something pulled in because the
installer thinks this is a VM or a Host OS.
>
>> Could someone look at these and tell me if I went too far.  I would like to 
>> get these commands as the default for systemd in the base
>> RHEL/Fedora and Centos containers

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

[Daniel J Walsh]

On 02/10/2016 11:16 AM, Lennart Poettering wrote:
> On Wed, 10.02.16 10:56, Daniel J Walsh (dwa...@redhat.com) wrote:
>
>> On Fedora I see a few services starting up and failing when I run
>> systemd, I have been able  to disable these
>> by executing.
>>
>> RUN systemctl disable sysinit.target remote-fs.target
>> systemd-remount-fs;\
> sysinit.target and systemd-remount-fs.service are static units; they
> cannot be enabled via "systemctl enable" or disabled via "systemctl
> disable". That part should be a NOP and should not have any effect;
> you can drop it.
>
> remote-fs.target has no value either, unless there actually are NFS
> mounts listed in /etc/fstab. I am pretty sure there aren't any for in
> your container, are there? Hence, this really sounds like something
> you can drop too, without any change in behaviour.
>
>> systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service
>> systemd-udev-settle.service systemd-udev-trigger.service
>> systemd-udevd.service systemd-udevd-control.socket
>> systemd-udevd-kernel.socket; \
> The systemd-firstboot service should have no effect unless you
> actually boot with an empty /etc (or more accuratily: unless you
> actually boot with an /etc that lacks /etc/machine-id) . Note that it
> carries a condition ConditionFirstBoot=yes which makes sure that it
> isn't even executed in normal cases. 
>
> Masking all the udev stuff is pretty pointless too. These services are
> conditioned out in containers too anyway. There's really no need to
> mask them out. More specifically, they contain
> ConditionPathIsReadWrite=/sys, i.e. are skipped if /sys is read-only,
> which is the way how container managers should set up /sys (it's a big
> security hole to allow containers write access to /sys). My
> recommendation would be to make sure you container manager implements
> these recommendations:
>
> https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/
>
> If your container manager follows these guidelines (of which the /sys
> being read-only thing is one), then there should be no special hacks
> necessary in systemd, as it should just work, and detect the slight
> semantica changes of containers correctly and avoid them cleanly.
>
>> rm -f /lib/systemd/system/multi-user.target.wants/systemd*
>> /lib/systemd/system/multi-user.target.wants/getty*;\
> What's the rationale for this? First of all, the getty stuff appears
> entirely unnecessary as getty@.service (which is the only thing
> generally linked from gettys.target these days) contains
> ConditionPathExists=/dev/tty0 which means it's already skipped when
> run on systems lacking a VC (such as containers).
>
> And the other services you are removing here: what's the point? they
> aren't really optional, that's why they are linked from /usr/lib,
> rather than subject to systemctl enable/disable...
>
>> sed -i 's/^enable/disable/g' /lib/systemd/system-preset/* 
> Why would this matter?
>
>> Could someone look at these and tell me if I went too far.  I would like to 
>> get these commands as the default for systemd in the base
>> RHEL/Fedora and Centos containers.
> I don't follow at all. 
>
> None of this is necessary. systemd works fine in containers as long as
> the container manager follows these guidelines:
>
> https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/
>
> nspawn implements all of this, and docker really should too...
>
> Lennart
>
BTW With the latest code/hooks we now have

/sys as readonly
/tmp and /run on tmpfs.
/etc/machine-id created to match containerid.
/var/log/journald/UUID mounted from the host so that journalctl -M UUID
will work.
Docker containers registered with machinectl.


These are the processes run after launching the systemd based container.

system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29042 ? 00:00:00 systemd
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29076 ? 00:00:00 
systemd-journal
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29093 ? 00:00:00 dbus-daemon
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29094 ? 00:00:00 httpd
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29099 ? 00:00:00 httpd
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29100 ? 00:00:00 httpd
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29102 ? 00:00:00 httpd
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29104 ? 00:00:00 httpd
system_u:system_r:*svirt*_lxc_net_t:s0:c557,c563 29107 ? 00:00:00 httpd

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

[Daniel J Walsh]

On 02/10/2016 01:14 PM, Lennart Poettering wrote:
> On Wed, 10.02.16 11:36, Daniel J Walsh (dwa...@redhat.com) wrote:
>
>>>> systemctl mask systemd-firstboot initrd-udevadm-cleanup-db.service
>>>> systemd-udev-settle.service systemd-udev-trigger.service
>>>> systemd-udevd.service systemd-udevd-control.socket
>>>> systemd-udevd-kernel.socket; \
>>> The systemd-firstboot service should have no effect unless you
>>> actually boot with an empty /etc (or more accuratily: unless you
>>> actually boot with an /etc that lacks /etc/machine-id) . Note that it
>>> carries a condition ConditionFirstBoot=yes which makes sure that it
>>> isn't even executed in normal cases. 
>> I see in the logs systemd complaining about no systemd-firstboot
>> command.
> Well, what have you installed in the container? Is the
> systemd-firstboot binary there? If not, why not? If this has been
> split out of the core package, then the service unit for it should
> have been split out too, hence there shouldn't be any error about this.
>
>>> Masking all the udev stuff is pretty pointless too. These services are
>>> conditioned out in containers too anyway. There's really no need to
>>> mask them out. More specifically, they contain
>>> ConditionPathIsReadWrite=/sys, i.e. are skipped if /sys is read-only,
>>> which is the way how container managers should set up /sys (it's a big
>>> security hole to allow containers write access to /sys). My
>>> recommendation would be to make sure you container manager implements
>>> these recommendations:
>> I am just seeing mentions of udev inside of the container, What I don't
>> want is messages
>> inside of the journal or bootup that look like systemd is trying to run
>> firstboot, udev etc.
> Sure, that's precisely what the ConditionXYZ= constructs are for: to
> skip stuff silently that is not necessary in some cases. 
>
> And by default systemd comes with all the the conditions in place so
> that a vanilla systemd image should work fine that implements the
> container interface.
>
>>> https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/
>>>
>>> If your container manager follows these guidelines (of which the /sys
>>> being read-only thing is one), then there should be no special hacks
>>> necessary in systemd, as it should just work, and detect the slight
>>> semantica changes of containers correctly and avoid them cleanly.
>>>
>>>> rm -f /lib/systemd/system/multi-user.target.wants/systemd*
>>>> /lib/systemd/system/multi-user.target.wants/getty*;\
>>> What's the rationale for this? First of all, the getty stuff appears
>>> entirely unnecessary as getty@.service (which is the only thing
>>> generally linked from gettys.target these days) contains
>>> ConditionPathExists=/dev/tty0 which means it's already skipped when
>>> run on systems lacking a VC (such as containers).
>> Again, I am seeing getty@ failures inside of the container.
> That would suggest that there's a /dev/tty0 in the container? That
> looks really wrong... A container has no virtual console hence there
> should be no /dev/tty0.
> On Linux /dev/tty0 is a special device node that is part of the
> kernel's VC subsystem, and points to the VC currently in the
> foreground. It has no place in virtualized systems such as containers.
> What is docker mounting as /dev into the container? Does it just bind
> mount the host /dev? That's really nasty, as that will expose host
> devices and device node ownership to the containers. They really
> shouldn't do that and instead mount their own tmpfs to /tmp and just
> create the device nodes for /dev/null, /dev/random and so on, but
> nothing else.
They don't, they create their own /dev inside the container with locked
down devices.

ls -lZ /dev/
total 0
crw---. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c15,c706 136, 
  3 Feb 10 20:42 console
lrwxrwxrwx. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c15,c706  
 13 Feb 10 20:42 fd -> /proc/self/fd
crw-rw-rw-. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c15,c706   1, 
  7 Feb 10 20:42 full
c-. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c15,c706  10, 
229 Feb 10 20:42 fuse
lrwxrwxrwx. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c15,c706  
 11 Feb 10 20:42 kcore -> /proc/kcore
drwxrwxrwt. 2 root root system_u:object_r:svirt_sandbox_file_t:s0:c15,c706  
 40 Feb 10 20:42 mqueue
crw-rw-rw-. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c15,c706   1, 
  3 Feb 10 20:42 null
lrwxrwxrwx. 1 root root 

Re: [systemd-devel] I want to run systemd inside of a locked down base docker container

[Daniel J Walsh]

On 02/10/2016 01:41 PM, Lennart Poettering wrote:
> On Wed, 10.02.16 10:22, Ranjib Dey (dey.ran...@gmail.com) wrote:
>
>> Docker(ls -alh)
>>
>> crw---  1 root root 136,   9 Feb 10 18:20 console
>> lrwxrwxrwx  1 root root   13 Feb 10 18:20 fd -> /proc/self/fd
>> crw-rw-rw-  1 root root   1,   7 Feb 10 18:20 full
>> c-  1 root root  10, 229 Feb 10 18:20 fuse
>> lrwxrwxrwx  1 root root   11 Feb 10 18:20 kcore -> /proc/kcore
>> drwxrwxrwt  2 root root   40 Oct 30 08:01 mqueue
>> crw-rw-rw-  1 root root   1,   3 Feb 10 18:20 null
>> lrwxrwxrwx  1 root root8 Feb 10 18:20 ptmx -> pts/ptmx
>> drwxr-xr-x  2 root root0 Feb 10 18:20 pts
>> crw-rw-rw-  1 root root   1,   8 Feb 10 18:20 random
>> drwxrwxrwt  2 root root   40 Feb 10 18:20 shm
>> lrwxrwxrwx  1 root root   15 Feb 10 18:20 stderr -> /proc/self/fd/2
>> lrwxrwxrwx  1 root root   15 Feb 10 18:20 stdin -> /proc/self/fd/0
>> lrwxrwxrwx  1 root root   15 Feb 10 18:20 stdout -> /proc/self/fd/1
>> crw-rw-rw-  1 root root   5,   0 Feb 10 18:20 tty
>> crw-rw-rw-  1 root root   1,   9 Feb 10 18:20 urandom
>> crw-rw-rw-  1 root root   1,   5 Feb 10 18:20 zero
> This looks pretty OK actually. With this setup (i.e. where /dev/tty0
> does not exist) it seems entirely unnnecessary to mask the getty
> services or anything, as they contain a  condition (as mentioned) that
> skips them if this device node does not exist.
>
>> LXC (ls -alh /dev)
>> crw-rw  1 root   tty 136, 18 Feb 10 07:15 console
>> lrwxrwxrwx  1 root   root 11 Feb 10 07:15 core -> /proc/kcore
>> lrwxrwxrwx  1 root   root 13 Feb 10 07:15 fd -> /proc/self/fd
>> crw-rw-rw-  1 nobody nogroup   1,  7 Feb  9 08:32 full
>> srw-rw-rw-  1 root   root  0 Feb 10 07:15 log
>> drwxrwxrwt  2 nobody nogroup  40 Feb 10 07:15 mqueue
>> drwxr-xr-x  2 root   root 40 Feb 10 07:15 net
>> crw-rw-rw-  1 nobody nogroup   1,  3 Feb  9 08:32 null
>> lrwxrwxrwx  1 root   root 13 Feb 10 07:15 ptmx -> /dev/pts/ptmx
>> drwxr-xr-x  2 nobody nogroup   0 Feb 10 07:15 pts
>> lrwxrwxrwx  1 root   root  4 Feb 10 07:15 ram -> ram1
>> crw-rw-rw-  1 nobody nogroup   1,  8 Feb  9 08:32 random
>> lrwxrwxrwx  1 root   root  8 Feb 10 07:15 shm -> /run/shm
> this looks wrong...
>
>> lrwxrwxrwx  1 root   root  4 Feb 10 07:15 stderr -> fd/2
>> lrwxrwxrwx  1 root   root  4 Feb 10 07:15 stdin -> fd/0
>> lrwxrwxrwx  1 root   root  4 Feb 10 07:15 stdout -> fd/1
>> crw-rw-rw-  1 nobody nogroup   5,  0 Feb 10 18:17 tty
>> crw-rw  1 root   tty 136,  0 Feb 10 07:15 tty1
>> crw-rw  1 root   tty 136,  1 Feb 10 07:15 tty2
>> crw-rw  1 root   tty 136,  2 Feb 10 07:15 tty3
>> crw-rw  1 root   tty 136,  3 Feb 10 07:15 tty4
> Urks. This looks super wrong. A container has no VC subsystem, and
> these devices really shouldn't exist there. /dev/tty1, /dev/tty2 and
> so on are the interface to the Linux kernel VC subsystem, and nothing else.
>
>> drwxr-xr-x  3 root   root 60 Feb 10 07:15 .udev
> Wut? where does this come from? the last time udev used that directory
> was 4 years ago or so...
>
> Lennart
>
Not sure how up2date lxc tools are...
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Trying to get journalctl -M UUID to work with docker containers

[Daniel J Walsh]

I have patches into docker to allow it to register with machinectl and
run systemd inside of the container without --privileges.  I also set it
up so that the /var/log/journald/UUID on the host is mounted inside of
the container, so that journald inside of the container writes to this
location on the host.

Then I use journalctl -M UUID on the host to look at the host journal. 
When I run the first container it works great.  I see the container, but
when I run the second container, I end up seeing the first countainers
journal again.  If I strace journalctl -M uuid it looks like it is
reading all of the journals under /var/log/journalctl rather then just
the one for UUID.

Am I doing something wrong when I set this up?  How is this supposed to
work?

Dan
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Trying to get journalctl -M UUID to work with docker containers

[Daniel J Walsh]

On 02/08/2016 08:18 AM, Mantas Mikulėnas wrote:
> On Mon, Feb 8, 2016 at 3:09 PM, Daniel J Walsh <dwa...@redhat.com
> <mailto:dwa...@redhat.com>> wrote:
>
> I have patches into docker to allow it to register with machinectl and
> run systemd inside of the container without --privileges.  I also
> set it
> up so that the /var/log/journald/UUID on the host is mounted inside of
> the container, so that journald inside of the container writes to this
> location on the host.
>
> Then I use journalctl -M UUID on the host to look at the host journal.
> When I run the first container it works great.  I see the
> container, but
> when I run the second container, I end up seeing the first countainers
> journal again.  If I strace journalctl -M uuid it looks like it is
> reading all of the journals under /var/log/journalctl rather then just
> the one for UUID.
>
> Am I doing something wrong when I set this up?  How is this
> supposed to
> work?
>
>
> If I remember correctly, -M adds a filter for _MACHINE_ID and
> _BOOT_ID? Try `SYSTEMD_LOG_LEVEL=debug journalctl -M ` to
> verify. Maybe your containers actually have identical '/etc/machine-id's?
>
> -- 
> Mantas Mikulėnas <graw...@gmail.com <mailto:graw...@gmail.com>>

docker ps -a
CONTAINER IDIMAGE   COMMAND CREATED 
STATUS  PORTS   NAMES
69730c6f4b85httpd   "/sbin/init"7 minutes ago   
Up 7 minutes80/tcp  httpd
c8174de954b6httpd   "/sbin/init"22 hours ago
Up 7 minutes80/tcp  httpd1


# machinectl 
MACHINE  CLASS SERVICE
69730c6f4b85ea61f5b9ddb9fb68cf7b container docker 
c8174de954b6e3037926dfa8b15cc854 container docker 


# docker exec httpd cat /etc/machine-id
69730c6f4b85ea61f5b9ddb9fb68cf7b
# docker exec httpd1 cat /etc/machine-id
c8174de954b6e3037926dfa8b15cc854



No the /etc/machine-id is different, if I enter the container I see differences.


# docker exec httpd journalctl | head -1
-- Logs begin at Mon 2016-02-08 14:10:37 UTC, end at Mon 2016-02-08 14:10:38 
UTC. --
# docker exec httpd1 journalctl | head -1
-- Logs begin at Sun 2016-02-07 15:36:19 UTC, end at Mon 2016-02-08 14:10:49 
UTC. --




# journalctl -M 69730c6f4b85ea61f5b9ddb9fb68cf7b  | head -1
-- Logs begin at Sun 2016-02-07 09:59:39 EST, end at Mon 2016-02-08 09:18:20 
EST. --

# journalctl -M c8174de954b6e3037926dfa8b15cc854  | head -1
-- Logs begin at Sun 2016-02-07 09:59:39 EST, end at Mon 2016-02-08 09:18:40 
EST. --


Where should I go for the output of this?  
SYSTEMD_LOG_LEVEL=debug journalctl -M 

Is there a way for me to see the settings of _MACHINE_ID and _BOOT_ID?  Also 
how can I see the actual path to the file journalctl is 
reading?  

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Does systemd launch gdb on an application that crashes now?

[Daniel J Walsh]

I am seeing gdb run in the SELinux type of a few different crashed
domains.  I am trying to figure out how this is happening, so we can
figure out a secure solution.  I know that kde has some kind of hack to
handle this, and abrt does it but it does it under the abrt_t process
not in the same context as the crashed application.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] SElinux in container

[Daniel J Walsh]

On 08/23/2015 08:10 AM, arnaud gaboury wrote:
 Here is my setup:

 Host:  Archlinux systemd 224-1
 Container: Fedora 22 systemd 219

 The container is a server and has vocation to be one day deployed on a
 dediacted server for production. In this way, I would like to set
 SElinux (default in Fedora). Unfortunately, doing it in Arch host is
 not a trivial affair and as host is a desktop, I would like to avoid.

 For now, SElinux is enabled in the Kernel with disables at boot with 
 selinux=0.

 Is there any way to enable and configure SElinux only in the
 container? Looking at capabilities(7) did not give me any hints. As a
 side note, CAP_SYS_MODULE does not work for container. I guess it is
 due to systemd 219 on the container ?

 Thank you.

You would have to write a policy for this.  You could write a policy
where everything is
an unconfined domain, but the containers run confined.

You would write something where the kernel, systemd ... all run as os_t,
then allow
docker or other domain to transition the container domain. container_t.

But this would not give you fine grained control within the container.

It also would probably require a lot of policy writing.  But would seem
to be a good
university project...
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] I am adding RegisterMachine to docker.

[Daniel J Walsh]

When container stops machinectl still shows it registered?  Do I need to
Unregister the machine?  I though systemd would notice the pid died and
remove the machine.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] 219/Fedora22: NFS mounts do not set SELINUX label to nfs_t: errno=-22

[Daniel J Walsh]

On 05/26/2015 09:46 AM, Lennart Poettering wrote:
 On Sun, 24.05.15 15:01, Anthony Alba (ascanio.al...@gmail.com) wrote:

 Hi,

 On Fedora 22, systemd 219, NFS mounts no longer acquire a default label 
 nfs_t.

 mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t
 mount.nfs: an incorrect mount option was specified
 [ 8316.276744] SELinux:
 security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51,
 type nfs4) errno=-22


 To my surprise, it seems to acquire labels from the NFS server (Fedora
 22/nfs4)  - how is this possible?

 But..it breaks libvirtd/kvm: it sees the right label if this were a
 local filesystem but audit2allow complains:


 ls -lZ guestfs/centos7.img
 -rw-r--r--. 1 qemu qemu system_u:object_r:virt_image_t:s0 22987538432
 May 24 14:56 guestfs/centos7.img
 ## for a image in /var/lib/libvirt this is the correct label.
 ## I do not know how it figured that from the NFS server

 SELinux is preventing qemu-system-x86 from read access on the file
 centos7.img (on NFS share).

 On Fedora 21, the files acquire the label nfs_t and setsebool -P 
 virt_use_nfs=on
 This is unlikely to be related to systemd, we don't really do anything
 special with NFS and especially not its selinux support. We simply
 invoke util-linux' mount command, which in turn calls mount.nfs of the
 nfs-utils package.

 Please contact the nfs-utils guys,

 thank you,

 Lennart


nfs_t should be by default for labels.  The example you have was not
using a complete label.

mount 192.168.1.6:/var/exports/1 1 -orootcontext=system_u:object_r:nfs_t
mount.nfs: an incorrect mount option was specified
[ 8316.276744] SELinux:
security_context_to_sid(system_u:object_r:nfs_t) failed for (dev 0:51,
type nfs4) errno=-22

The label should be

system_u:object_r:nfs_t:s0
not
system_u:object_r:nfs_t

Nfs does now support labeling if you use a RHEL7 or Fedora based server
and client.  But it should still default to nfs_t
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Docker vs PrivateTmp

[Daniel J Walsh]

Yes I was trying to get a comment from Alex, since he did the original
patch.

On 01/23/2015 12:26 PM, Lennart Poettering wrote:
 On Fri, 23.01.15 11:31, Daniel J Walsh (dwa...@redhat.com) wrote:

 You just sent a full quote without any comment of yours?

 On 01/22/2015 10:02 PM, Lennart Poettering wrote:
 On Sat, 17.01.15 23:02, Lars Kellogg-Stedman (l...@redhat.com) wrote:

 See the `devicemapper` mountpoint created by Docker for the container:

 # grep devicemapper/mnt /proc/mounts
 
 /dev/mapper/docker-253:6-98310-e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
 
 /var/lib/docker/devicemapper/mnt/e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
 ext4
 
 rw,context=system_u:object_r:svirt_sandbox_file_t:s0:c261,c1018,relatime,discard,stripe=16,data=ordered
 0 0
 I am not sure why docker makes these mounts visible in the host
 namespace at all. This smells like a bug.

 Watch Docker fail to destroy the container because it is unable to remove 
 the mountpoint directory:

 Jan 17 22:43:03 pk115wp-lkellogg docker-1.4.1-dev[18239]:
 time=2015-01-17T22:43:03-05:00 level=error msg=Handler for DELETE
 /containers/{name:.*} returned error: Cannot destroy container 
 e68df3f45d61:
 Driver devicemapper failed to remove root filesystem
 e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62: 
 Device is
 Busy
 This smells as if Docker incorrectly sets the mount propagation bits
 on its own mounts.

 It would be good checking /proc/self/mountinfo inside and outside of
 docker's own namespace, and checking how the propagation bits are set
 for the individual mounts. It's a bit hard to read, but the
 interesting bits are in the 7th column of that file.

 In general: docker should do the equivalent of mount --make-rslave /
 as first thing after opening its mount namespace, so that from that
 point on mounts and especiall *un*mounts propagate from the host into
 the container, but not vice versa.

 If they do not invoke that, then the propagation will stay at
 shared, which means the mounts will appear in the host and vice
 versa, which is certainly undesired.

 Also, they should not use mount --make-rprivate /, as that means
 anything the host mounted will stay mounted in the container forever,
 which is a problem.

 Also, they really need to make this recursive, so that all mount
 points they have access too are detached from the host!

 Lennart



 Lennart


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Docker vs PrivateTmp

[Daniel J Walsh]

On 01/22/2015 10:02 PM, Lennart Poettering wrote:
 On Sat, 17.01.15 23:02, Lars Kellogg-Stedman (l...@redhat.com) wrote:

 See the `devicemapper` mountpoint created by Docker for the container:

 # grep devicemapper/mnt /proc/mounts
 
 /dev/mapper/docker-253:6-98310-e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
 
 /var/lib/docker/devicemapper/mnt/e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
 ext4
 
 rw,context=system_u:object_r:svirt_sandbox_file_t:s0:c261,c1018,relatime,discard,stripe=16,data=ordered
 0 0
 I am not sure why docker makes these mounts visible in the host
 namespace at all. This smells like a bug.

 Watch Docker fail to destroy the container because it is unable to remove 
 the mountpoint directory:

 Jan 17 22:43:03 pk115wp-lkellogg docker-1.4.1-dev[18239]:
 time=2015-01-17T22:43:03-05:00 level=error msg=Handler for DELETE
 /containers/{name:.*} returned error: Cannot destroy container 
 e68df3f45d61:
 Driver devicemapper failed to remove root filesystem
 e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62: Device 
 is
 Busy
 This smells as if Docker incorrectly sets the mount propagation bits
 on its own mounts.

 It would be good checking /proc/self/mountinfo inside and outside of
 docker's own namespace, and checking how the propagation bits are set
 for the individual mounts. It's a bit hard to read, but the
 interesting bits are in the 7th column of that file.

 In general: docker should do the equivalent of mount --make-rslave /
 as first thing after opening its mount namespace, so that from that
 point on mounts and especiall *un*mounts propagate from the host into
 the container, but not vice versa.

 If they do not invoke that, then the propagation will stay at
 shared, which means the mounts will appear in the host and vice
 versa, which is certainly undesired.

 Also, they should not use mount --make-rprivate /, as that means
 anything the host mounted will stay mounted in the container forever,
 which is a problem.

 Also, they really need to make this recursive, so that all mount
 points they have access too are detached from the host!

 Lennart


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Docker vs PrivateTmp

[Daniel J Walsh]

On 01/19/2015 12:27 AM, Lars Kellogg-Stedman wrote:
 On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote:
 I think we actually want MountFlags=slave, which will permit mounts
 from the global namespace to propagate into the service namespace
 without permitting propagation in the other direction.  It seems like
 this would the Least Surprising behavior.
 ...which would be the default if docker.service were itself using
 PrivateTmp=true, because from systemd.exec:

 Note that the file system namespace related options (PrivateTmp=,
 PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyDirectories=,
 InaccessibleDirectories= and ReadWriteDirectories=) require that mount
 and unmount propagation from the unit's file system namespace is
 disabled, and hence downgrade shared to slave.

 So either explicitly setting MountFlags=slave, or setting
 PrivateTmp=true if that doesn't cause any issues of which I am not
 aware.



 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Vincent what do you think about MountFlags=slave?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] I am trying to hook up docker and systemd.

[Daniel J Walsh]

I have a working version of docker which runs systemd/journald within
the container and sets up the /var/log/journal/UUID inside the container
to match the version outside.  I also have registered the container with
machinectl.  Everything seems to work fine except that when I execute

journalctl -M UUID

I get a message saying no logs available.  I then attempted the same
thing with systemd-nspawn, and again  I get no logs availabel.  If I
send a SIGUSR1 to the journal process it finally writes its logs and the
journalctl on the outside sees it.  Is there a way to get the logs to
continuously be written, so jounralctl -M UUID will be able to monitor
the logs, without having to send the SIGUSR1?
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Should systemd-logind provide a DM-independent mechanism for handling guest accounts?

[Daniel J Walsh]

It would be fairly easy to setup pam_namespace for the guest user to
provide
a temporary /tmp and ~/.  Now, just like we do for xguest.

Then you could setup the login account to use no password and the
guest_u user
and allow users onto the system. 

This would get you most of the things you want.  The problems would be
in having
multiple users get access to the machine at the same time.  For this you
need something
that generates a UID on the fly for the user.  I would expect a fairly
simple pam module
could be done for this. 

One problem with this though would be a user might log in as guest user
but endup getting
the guest134 user account.

This means you would want some kind of sssd interaction, so a user
executing id  or ls -lZ ~/

Would see all of his files and processes running as guest.

Taking advantages of other namespaces to setup additional containment
might also be interesting
especially the pid namespace. 

On 11/10/2014 04:36 PM, Lennart Poettering wrote:
 On Mon, 10.11.14 16:41, Laércio de Sousa 
 (laercioso...@sme-mogidascruzes.sp.gov.br) wrote:

 Hi there!

 Currently there are few alternatives for implementing guest accounts in
 Linux systems. I know only two: an AppArmor-based approach implemented in
 LightDM, and a SELinux-based approach implemented in Fedora's package
 xguest that works with GDM. There's no option for console guest login
 (should it be needed?).

 I was thinking if systemd-logind could handle itself guest accounts in the
 future, making it available for use by any display manager (and even
 console logins, who knows?).

 What do you think about it?
 I figure this pays into the whole concept of dynamic users, which we
 really want to have eventually, to deal with dynamic allocation of
 UIDs for user namespacing in container managers, for allocating
 per-seat users for gdm login screens, and then also for your usecase,
 i.e. to implement guest users that go away entirely on logout.

 So yeah, it's definitely something we want, and I figure it should be
 added to the systemd project in some way.

 Lennart


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Expected behavior when systemd cannot load SELinux policy

[Daniel J Walsh]

On 11/07/2014 11:09 AM, Lennart Poettering wrote:
 On Fri, 07.11.14 11:30, Jan Synáček (jsyna...@redhat.com) wrote:

 Hello,

 currently, when SELINUX=enforcing and SELINUXTYPE=invalid value are
 set in /etc/selinux/config, systemd refuses to boot with
 Failed to load SELinux policy. Freezing.

 Is this really what should happen? If SELINUX is set to permissive or
 disabled, though, systemd happily continues booting. I think that that's
 what should happen when SELINUX is set to enforcing as well. Plus a big
 warning in the log, or maybe even on the console, of course.

 What do you think?
 Well, if we are in enforcing mode then this means that everything that
 is not OK needs to fail, and this includes the policy being corrupted
 or missing really.

 Enforcing mode is really this super secure mode where we'd rather
 hang the machine then possibly allow things to go through that might
 not be let through if the policy would be order...

 Lennart

Yes think of super secure systems.  If you had a machine that contained
TopSecret information, then booting without the policy in effect would
potentially
lead to compromised information.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 2/4] mount-setup: introduce mount_setup_run_dirs()

[Daniel J Walsh]

On 10/08/2014 07:40 AM, Lennart Poettering wrote:
 On Tue, 07.10.14 14:14, Michal Sekletar (msekl...@redhat.com) wrote:

 Hence, if a container manager mounts everything properly, then mount_setup()
 should be a NOP anyway... 
 In theory yes, but in fact not having /run mounted as tmpfs is default in 
 the docker
 container. I have no strong opinion on whether this is sensible or not, 
 however
 I think that systemd can be made more resilient and handle such
 cases. 
 Sorry, but no. /run should be pre-mounted, and if it isn't we need the
 rights to mount it. We will not boot up a system without /run. That's
 part of the API for programs, and we will not avoid it.

 Please ask Docker to premount /run. All distros need /run anyway these
 days, Debian does, Ubuntu does, Fedora does. 

 Now systemd will try to mount /run on tmpfs, such attempt will fail because 
 of
 missing capability and then systemd will just hang.
 Well, just sticking the head in the sand won't help. If we don't have
 /run mounted, then things will break later on. We cannot ignore that.

 Sorry,

 Lennart

We have a patch for this.  In the past docker has bocked/removed the
patch because there is
no concept of systemd-tmpfs inside a container to pre-populate /run.  So
images came with content in their
/run.

Alex wrote a patch to scan the /run on the image and create the content
in a tmpfs /run.  I will attempt to push this
patch again to docker.


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] User sessions: limit the ability to migrate cgroups

[Daniel J Walsh]

On 08/13/2014 12:11 PM, Alban Crequy wrote:
 On Wed, 13 Aug 2014 16:37:17 +0200
 Lennart Poettering lenn...@poettering.net wrote:

 On Thu, 07.08.14 15:19, Alban Crequy (alban.cre...@collabora.co.uk)
 wrote:

 Hi,

 Should unprivileged processes be allowed to change cgroup?
 Well, they shouldn#t do it. But I think it's OK as long as this is
 only done within the specific user's hierarchies.

 As I understand it, it is not possible to block processes to
 leave a cgroup, but only to block processes to enter a cgroup.
 Correct.

 In the following example, session-c4.scope/tasks belongs to
 root:root with -rw-r--r-- and user@1000.service/tasks belongs to
 user:user with -rw-r--r--.
 Yes, this is because systemd --user needs to be able to manage its own
 cgroup subtree, so we have to open this up for the user@1000.service
 service, but keep it restricted otherwise...
 It makes sense.

 So processes can freely move from session-c4.scope to
 user@1000.service. But not in the other direction.
 Correct.
 $ systemd-cgls
 Working Directory /sys/fs/cgroup/systemd/user.slice/user-1000.slice:
 ├─session-c4.scope
 │ ├─713 sshd: user [priv]  
 │ ├─722 sshd: user@pts/2   
 │ ├─723 -bash
 │ ├─732 systemd-cgls
 │ └─733 pager
 ├─user@1000.service
 │ ├─406 /lib/systemd/systemd --user

 With user sessions managed by systemd, will it be possible to
 restrict unprivileged users from migrating to other cgroups?
 Unlikely. Access control on Unix is generally bound to user IDs, not
 processes, and we really shouldn't start here with departing from
 that...
 I tested SELinux and AppArmor to restrict /sys/fs/cgroup/.

 SELinux didn't help because the cgroup file system does not support
 extended attributes such as security.selinux, but AppArmor was able
 to block an application from changing cgroup.

 Alban
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
You could mount the cgroup with a label that the intended domain could
not write.  Similarly you could just prevent the domain from writing to
cgroupfs_t.

Which is the default label of the cgroup file system.   No confined/Few
domains right now should be allowed to write to cgroupfs_t.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Blog on running systemd within a docker container.

[Daniel J Walsh]

On 05/02/2014 11:54 AM, Lennart Poettering wrote:
 On Wed, 30.04.14 14:21, Daniel J Walsh (dwa...@redhat.com) wrote:

 http://rhatdan.wordpress.com/2014/04/30/running-systemd-within-a-docker-container/
 There are a couple of things in the story that I'd like to correct:

 1) udev isn't actually started when systemd detects that /sys is read-only. 
 See:

 http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/

 The idea here is that docker should mount /sys read-only (already for
 for security purposes it should do that). When that's done udev is not
 started, and that requires no explicit work by you. I's conditionalized
 via ConditionPathIsWritable=/sys.
There is a pull request to mount /proc and /sys as readonly that looks
like it is going upstream soon.  The readonly mount will only happen in
non-priv containers.  Once we have the ability to add SYS_ADMIN
capability to a non-priv container, I should be able to run systemd
inside a container and this should work.
 2) systemd doesn't even start getty logins (plural!). If it detects it
 runs inside a container it will actually start exactly one, on
 /dev/console. We can improve systemd to find out a way how to even
 disable that. For example, we could build on $container_ttys (see the
 url above), and maybe intrdouce $container_headless=1 or so, which when
 set will result in systemd to not start any getty at all.
I think this would be good, since we plan on using nsenter to join
containers, don't think we want getty/login running there by default.
 3) THis is similar for all the other .wants/ links you remove. I think
 we really should avoid doing this. Instead, it sounds better to make
 sure systemd automatically figures out when to start specific services
 and when to not do that. As it turns out we did this for quite a few of
 the services in there already. For example, systemd-binfmt is already
 skipped if /proc/sys is not writable anyway... And so on. So instead of
 doing blanket removals, please let us know which ones you see running
 that you'd rather not see running, and we can figure out a way how to
 conditionaliuze them upstream so that unmodified systemd just works for
 you...
Once we have a better docker, and I can run systemd in a non priv
container, I will attempt this again, and see what processes get started
without the cleanups in the .wants directories.  I too would like to get
rid of these.
 To say this explicitly: we are really interested in making sure that
 systemd runs out-of-the-box in containers, and docker is just one
 implementation of that.

 Lennart

Great, and I want to make systemd the default tool for running multiple
services within a docker container.  I like it for running a single
service also, since it is so simple.  I would like to talk to you guys
about getting the journal information out of the container.  IE with
this model we loose STDOUT/STDERR and /dev/log entries showing up in the
hosts journal.  We can bind mount /dev/log into the container, but we
still loose STDOUT/STDERR
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Blog on running systemd within a docker container.

[Daniel J Walsh]

On 05/01/2014 09:28 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On Wed, Apr 30, 2014 at 02:21:44PM -0400, Daniel J Walsh wrote:
 http://rhatdan.wordpress.com/2014/04/30/running-systemd-within-a-docker-container/
 Interesting.

 The part where you remove all the links in .wants directories seems
 ugly. Would it be feasible to use a custom target instead of
 multi-user.target? Things removed this way will come back if
 e.g. systemd rpm is updated inside of the image. Judicious use of
 systemctl mask and setting a custom preset of 'disable *' should also
 help.

 Zbyszek
Well I want people to be able to yum install httpd; systemctl enable
httpd.service
Which I believe requires the multi-user.target to work correctly.

If you have better systemctl mask commands, I would love to use them
instead.

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Blog on running systemd within a docker container.

[Daniel J Walsh]

http://rhatdan.wordpress.com/2014/04/30/running-systemd-within-a-docker-container/

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] pcre in daemons

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/26/2014 03:05 PM, Zbigniew Jędrzejewski-Szmek wrote:
 On Wed, Feb 26, 2014 at 08:54:34PM +0100, Thomas H.P. Andersen wrote:
 The todo says: something pulls in pcre as shared object dependency into
 our daemons such as hostnamed
 
 Normal buiild: ldd ./systemd-hostnamed linux-vdso.so.1 =
 (0x7fff247bc000) libselinux.so.1 = /lib64/libselinux.so.1
 (0x7f7ec47f7000) librt.so.1 = /lib64/librt.so.1
 (0x7f7ec45ef000) libdl.so.2 = /lib64/libdl.so.2
 (0x7f7ec43ea000) libpthread.so.0 = /lib64/libpthread.so.0
 (0x7f7ec41cd000) libc.so.6 = /lib64/libc.so.6 (0x7f7ec3e0e000) 
 /lib64/ld-linux-x86-64.so.2 (0x7f7ec4a2f000) libpcre.so.1 =
 /lib64/libpcre.so.1 (0x7f7ec3ba7000) liblzma.so.5 =
 /lib64/liblzma.so.5 (0x7f7ec3982000)
 It's a selinux problem (or not, if it actually uses pcre's). ldd
 /lib64/libselinux.so.1 linux-vdso.so.1 =  (0x7fff58bfe000) 
 libpcre.so.1 = /lib64/libpcre.so.1 (0x00380340) liblzma.so.5 =
 /lib64/liblzma.so.5 (0x0035d680) libdl.so.2 = /lib64/libdl.so.2
 (0x0035d2c0) libc.so.6 = /lib64/libc.so.6 (0x0035d200) 
 /lib64/ld-linux-x86-64.so.2 (0x0035d180) libpthread.so.0 =
 /lib64/libpthread.so.0 (0x0035d280)
 
 Zbyszek ___ systemd-devel
 mailing list systemd-devel@lists.freedesktop.org 
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
libselinux and systemd take advantage of pcre for speeding up the handling of
reading in the  labeling file.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMOWzAACgkQrlYvE4MpobMP1QCgt0EMALHGgrb9Z+cG11RvQvx3
U5EAoIl0M0oYdjA+3PmOJE1sn9NDo66v
=ukVz
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/20/2014 02:27 PM, Eric Paris wrote:
 I like it, if it's reasonable/possible
 
 On Thu, Feb 20, 2014 at 2:26 PM, Lennart Poettering 
 lenn...@poettering.net wrote:
 On Thu, 20.02.14 13:50, Eric Paris (epa...@parisplace.org) wrote:
 
 Not really.  If it doesn't exist on the final root fs and I put 
 enforcing=1 on the command line, I expect the box to 
 panic/fail/die/whatever
 
 OK, then maybe check !in_initrd() || access(/etc/selinux/, F_OK) =
 0?
 
 Lennart
 
 -- Lennart Poettering, Red Hat
 ___ Selinux mailing list 
 seli...@tycho.nsa.gov To unsubscribe, send email to
 selinux-le...@tycho.nsa.gov. To get help, send an email containing help
 to selinux-requ...@tycho.nsa.gov.
You mean

!in_initrd() || access(selinux_path(), F_OK) = 0?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMGW1AACgkQrlYvE4MpobOeUgCg3YoRWatuabfOsAGLD4p09QVo
PYMAn3hDTBy4ePCPy/jORYlE+KGotSxE
=kkZx
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/3] Add SELinuxContext configuration item

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/07/2014 08:22 AM, Michael Scherer wrote:
 Le jeudi 06 février 2014 à 12:21 -0800, David Timothy Strauss a écrit :
 In order to maximize consistency with newly committed options in 
 systemd-nspawn, would it make sense to allow independent configuration of
 the process and file labels instead?
 
 
 The file label are decided by selinux policy based on the path and/or 
 process domain, from what I seen.
 
 In the case of systemd-nspawn, it is done by using a specific option of 
 mount, and only for tmpfs/devpts.
 
 So I am not sure if this can be done, and i fail to see a usecase for that
 ( except having container described in .service, which could be nice but
 maybe too much )
 
Yes the goal with the file system labels is for tmpfs file systems
created/mounted within the systemd-nspawn.

If you are using a chrooted OS, then its labeling should be done outside the
command.

I wanted to also allow this to be generic so other labeling tools like SMACK
could also be used.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlL6Q8AACgkQrlYvE4MpobNf8ACcC+B/5yvbOnOPiRoDQYiokGT+
xe0AmwR7qdFnJ/aqzTMfL0lcPYCUGYs2
=Pk3g
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/30/2014 07:09 PM, Zbigniew Jędrzejewski-Szmek wrote:
 On Thu, Jan 30, 2014 at 04:29:14PM -0500, Dan Walsh wrote:
 If I want to run a container as a service, it would be nice if it used
 the service cgroup configuration
 Your patch will break the integration with machienctl, etc. Would instead
 assigning the slice with --slice be enough?
 
 Zbyszek
 
My goal is if I run systemd-nspawn within a systemd unit file, perhaps as a
plugin to docker, I want to allow the system administrator to just add

MemoryLimit=500m

To the unit file and have it effect the processes within the container.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLrpMEACgkQrlYvE4MpobMe5wCfaRR70wrnY2bU+SgzCFLlSeSO
CSEAn1t+TDnEkj0VeMp6HTSK/QoK2xO+
=SDyW
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/31/2014 10:45 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On Fri, Jan 31, 2014 at 10:00:12AM -0500, Daniel J Walsh wrote:
 My plan is not to have the user no they are running systemd-nspawn
 
 Imaging the user is creating a httpd container unit file using docker, 
 described in this document.
 
 http://welldefinedbehaviour.wordpress.com/2014/01/30/adventures-with-containerization-fedora-docker-and-httpd/



 
[Unit]
 Description=example.com Container After=docker.service
 
 [Service] Type=simple ExecStart=/usr/bin/docker run -v
 /srv/example.com:/srv httpd-test1 Restart=on-failure
 
 
 Currently docker uses lxc tools under the covers to launch the container,
 we want to add a plugin to use systemd-nspawn.
 
 docker - systemd-nspawn - container
 
 But we want the docker, systemd-nspawn and the container all affected by
 any Cgroup entries in the unit file.  So I want the container to run as a
 service slice not a machine slice.
 And if you specify --slice=system-something.slice, doesn't this do the
 job?
 
 Zbyszek
 

How would the docker command know what slice to assign it to?  Why not just
eliminate systemd-nspawn doing anything with slices if I pass the service flag
or some other flag.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLrxnoACgkQrlYvE4MpobO1mgCglDP9B5DadqucUEyxAgSeBVYf
G3sAoIBuzpooNd5K+cBQ8ks22pxp6az5
=qw4r
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/31/2014 11:20 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On Fri, Jan 31, 2014 at 10:51:22AM -0500, Daniel J Walsh wrote:
 Currently docker uses lxc tools under the covers to launch the
 container, we want to add a plugin to use systemd-nspawn.
 
 docker - systemd-nspawn - container
 
 But we want the docker, systemd-nspawn and the container all affected
 by any Cgroup entries in the unit file.  So I want the container to
 run as a service slice not a machine slice.
 And if you specify --slice=system-something.slice, doesn't this do
 the job?
 
 How would the docker command know what slice to assign it to?  Why not
 just eliminate systemd-nspawn doing anything with slices if I pass the
 service flag or some other flag.
 It's not possible to disable slices, nspawn will always end up in some
 slice.
 
 The docker command already needs to know about systemd-nspawn to launch
 it. So it can just give the --slice option. If you want this to be part of
 the /system slice, than anything like --slice=system-container-id.slice
 will be fine. And the limits can be set on the slice as wanted. Note that
 the slice unit doesn't have to exist, it will be created when
 referenced.
 
 Zbyszek
 
I know it has to be in a slice, I just want it to stay in the same slice that
the docker command is in.

If I could run --slice=current that would be fine.

If I create the httpd_container.service, it will create the
service-httpd_container.slice and docker will run there.  I want
systemd-nspawn and more importantly the container processes to stay in
httpd_containe.slice.  I guess I could get docker to check which slice it is
in, if that was possible, but I see no reason why we can not stop doing
slice stuff in systemd-nspawn, if a user wants it to run within his current
slice.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLr0HsACgkQrlYvE4MpobMi+wCfY9LD7CzEOYVIrj79i1+i2T/p
HVEAoL7jmMNXod6lOULx7AHkTbih9c5i
=Vq2a
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 1/1] Allow systemd to run without assigning container to machine.slice

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/31/2014 09:51 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On Fri, Jan 31, 2014 at 08:27:29AM -0500, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/30/2014 07:09 PM, Zbigniew Jędrzejewski-Szmek wrote:
 On Thu, Jan 30, 2014 at 04:29:14PM -0500, Dan Walsh wrote:
 If I want to run a container as a service, it would be nice if it
 used the service cgroup configuration
 Your patch will break the integration with machienctl, etc. Would
 instead assigning the slice with --slice be enough?
 
 Zbyszek
 
 My goal is if I run systemd-nspawn within a systemd unit file, perhaps as
 a plugin to docker, I want to allow the system administrator to just add
 
 MemoryLimit=500m
 You can set the limit on the service, or on the slice.
 
 On the service: #
 /etc/systemd/system/systemd-nspawn@container.d/limits.conf [Service] 
 MemoryLimit=500M
 
 On the slice: #
 /etc/systemd/system/systemd-nspawn@container.d/slice.conf [Service] 
 Slice=system-container.slice
 
 # /etc/systemd/system/system-container.slice # (note that the path here
 makes this slice part of /system not /machine [Slice] MemoryLimit=500M
 
 You can alternatively specify the slice with --slice argument to nspawn.
 
 Zbyszek
 
My plan is not to have the user no they are running systemd-nspawn

Imaging the user is creating a httpd container unit file using docker,
described in this document.

http://welldefinedbehaviour.wordpress.com/2014/01/30/adventures-with-containerization-fedora-docker-and-httpd/


[Unit]
Description=example.com Container
After=docker.service

[Service]
Type=simple
ExecStart=/usr/bin/docker run -v /srv/example.com:/srv httpd-test1
Restart=on-failure


Currently docker uses lxc tools under the covers to launch the container, we
want to add a plugin to use systemd-nspawn.

docker - systemd-nspawn - container

But we want the docker, systemd-nspawn and the container all affected by any
Cgroup entries in the unit file.  So I want the container to run as a service
slice not a machine slice.


The user will never execute systemd-nspawn in this case.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLrunwACgkQrlYvE4MpobOacACeMMWBJZjJXiHKEhT+Dp8xB4tl
viEAn0pMcKsQriVNSrpltlW2gtG+VhH3
=uJiv
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] Add SELinuxContext configuration item

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/03/2014 12:35 PM, Michael Scherer wrote:
 Le vendredi 03 janvier 2014 à 11:48 -0500, Daniel J Walsh a écrit :
 On 01/03/2014 09:16 AM, Michael Scherer wrote:
 
 Well thinking about this again, I think still to the single label.  Lets
 not break the field up into multiple labels.
 
 And not make it SELinux specific.  Maybe the field could be
 SecurityLabel:
 
 That would allow smack to also use the field and any other LSM that used
 a labeling system.
 
 I fail to follow you. The current code use setexecon, and this is quite 
 selinux specific. What would be the equivalent for apparmor, for smack and
 others ?
 
 
No idea, I only do SELinux...

But as Kay Pointed out, there is some similar code in udev for this.

 
 Udev uses: SECLABEL{selinux}=foo SECLABEL{smack}=bar
 
 I think we should be able to distinguish the LSM-module-specific label type
 somehow in the key or value.
 
 Kay



-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLKsRYACgkQrlYvE4MpobOZaACfZTo4JI3dYFhZ9bXKTVkQrQy0
nB4AoLS6FYmmiasReuREK+oedjWn/jI5
=K5oJ
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] Add SELinuxContext configuration item

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/03/2014 09:16 AM, Michael Scherer wrote:
 Le vendredi 03 janvier 2014 à 12:23 +, Jóhann B. Guðmundsson a écrit
 :
 On 01/03/2014 10:56 AM, Michael Scherer wrote:
 Le vendredi 03 janvier 2014 à 00:58 +, Jóhann B. Guðmundsson a 
 écrit :
 On 12/28/2013 01:30 PM, Lennart Poettering wrote:
 On Fri, 27.12.13 23:26,m...@zarb.org  (m...@zarb.org) wrote:
 
 From: Michael Schererm...@zarb.org
 
 This permit to let system administrators decide of the domain
 of a service. This can be used with templated units to have
 each service in a différent domain ( for example, a per
 customer database, using MLS or anything ), or can be used to
 force a non selinux enabled system (jvm, erlang, etc) to start
 in a different domain for each service.
 Hmm, so far (as I understood it) the SELinux guys always wanted to
 make sure that label configuration stays in the the selinux
 database and nowhere else.
 Right and if you add this you need to add something for the other 
 security solutions as well ( apparmor etc ).
 I do not see why we need to equally support all MAC frameworks for
 each change we do.
 
 Because people will start to expect being able to configure that there.
 
 So they can as well start to fill bug report and start to contribute code
 for this.
 
 We didn't added detection of all security framework for ConditionSecurity
 at the first patch, it was added later as people expressed interest ( hence
 the lack of tomoyo ), so I expect the same to be done for security
 frameworks. Also, having done my homework, IMA do not have the concept of
 domain, apparmor has profiles, and I have no idea for smack, so I prefer to
 defer integration to people who know, based on their use cases.
 
 And while I am familiar enough with apparmor to create a equivalent
 setting ( and plan to do ), I have no idea on how to translate the
 concept for smack, ima and tomoyo.
 
 In fact, the mere fact that tomoyo is not handled at all already show 
 that we do treat all security framework as equal.
 
 How do you suppose we deal with man pages if selinux is not installed but
 still refer to this.
 
 In the same way we do for all #ifdef feature. For example, for PAMName, the
 documentation is always present.
 
 Wont users also need to check if selinux is enabled or not in the unit 
 file?
 
 I would rather do it in the C code, no need to have everybody asking for 
 it.
 
 Should systemd warn users if selinux is not installed,enabled and fail
 or?
 
 It all depend. Either we are consistent with the other settings ( ie, 
 setting a syscall filter will fail if not supported on the kernel ), and so
 fail, or we decide that selinux is special and we should silently ignore
 failure if it cannot be applied.
 
 I choose the first one for the first patch, but adding a conditional would
 be trivial if we decide to silently ignore if the setting cannot be
 applied.
 
 The main issue being of course that people who disable selinux do not 
 always properly disable it ( ie using permissive rather than selinux=0 ).
 
 
 
 
 This introduces yet another place for administrators to look at
 while debugging problems so the question to ask here is.
 
 Is adding this ability to unit files the right way to solve what's 
 trying to be solved here?
 As Dan said, yes.
 
 I would prefer if app writers do not start hard coding SELinux contexts
  into the unit file
 
 I hardly call that solid yes and this is what will start taking place if
  this is introduced into the unit files.
 
 Then what about : I like this patch, and I have seen people saying we have
 this capability in RHEL7  :^(
 
 We should separate the concern about people in distribution/upstream using
 it if offered and the rest of the world. Distribution policy is a matter
 of the distribution. If Fedora wish to forbid this unless there is a good
 use case, that's up to Fedora to do it, and to have it integrated into
 rpmlint or anything.
 
 I must also say that I didn't really see a rush from application developers
 to add selinux support or anything, and that people can already distribute
 policy along their application, with all support problem this could create
 for distributions. So we already have the problem, adding the setting in
 systemd wouldn't change much.
 
 
 However, as said, there is some case where the approach of making the 
 transition based on the executed filename is not sufficient. For 
 example, the erlang vm, the jvm, etc, because each software will run
 in the same domain, in different processes, because that's always the
 same jvm being used. See the bug I mentioned before.
 
 Now, if you have a more precise feedback and/or a better proposal,
 
 Add this to the daemon startup itself ( the confile or the code ) and or
  use runcon in an exec start pre section to set this up.
 
 Runcon cannot be used in ExecStartPre, that's like su. So you have to run
 it in ExecStart, and this make things harder for sysadmins, and 

Re: [systemd-devel] [PATCH] Add SELinuxContext configuration item

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/28/2013 11:47 AM, Michael Scherer wrote:
 Le samedi 28 décembre 2013 à 14:30 +0100, Lennart Poettering a écrit :
 On Fri, 27.12.13 23:26, m...@zarb.org (m...@zarb.org) wrote:
 
 From: Michael Scherer m...@zarb.org
 
 This permit to let system administrators decide of the domain of a
 service. This can be used with templated units to have each service in
 a différent domain ( for example, a per customer database, using MLS or
 anything ), or can be used to force a non selinux enabled system (jvm,
 erlang, etc) to start in a different domain for each service.
 
 Hmm, so far (as I understood it) the SELinux guys always wanted to make 
 sure that label configuration stays in the the selinux database and 
 nowhere else.
 
 Yep, I know and they are right, we shouldn't put configuration everywhere
 in the system. But there is a few cases where the selinux policy cannot
 express what we want ( or at least, I do not know how to do it ).
 
 First case is doing something like openshift, with 1 different domain per
 user. Since the transitions are mostly handled in kernel space ( except for
 specific case like sepostgresql ), it kinda restrict what we can do in term
 of smart transition. In the case of openshift, this use a specific pam
 module (pam_openshift) and specific plugins in the code, because the policy
 is a bit too static to handle that.
 
 So using templated units, we could do for example : 
 SELinuxContext=staff_u:staff_r:%s_t:s0-s0:c0.c1023
 
 or similar tricks. Or just handle things manually, with static
 SELinuxContext ( or include, or anything ).
 
 
 The second case is caused by a limitation of the current way of doing 
 transition. My main motivation is to solve 
 https://bugzilla.redhat.com/show_bug.cgi?id=969757 , because right now, we
 cannot ask to erlang to run in a different domain unless if we write 1
 shell wrapper per erlang application just to trigger the transition, or
 until we make erlang selinux-aware, like postgresql is. So rather than
 duplicate shell wrappers or adding code everywhere, I was thinking doing it
 in systemd directly would be beneficial for everybody by reducing needed
 changes to the only stuff that matter, having the context we want to switch
 to.
 
 I do not expect SELinuxContext to be used by upstream units, and I guess 
 that a distribution can decide to have them being unused by policy if 
 that's a issue.
 
 It should also be noted that upstart do support a similar configuration for
 apparmor, 
 https://code.launchpad.net/~mdeslaur/upstart/apparmor-support/+merge/164169

 
And I was pondering on adding it as well to systemd, since some systemd
 consumers are using apparmor, and because feature parity is IMHO important
 if we want to let people use systemd on Ubuntu.
 
 
 I'd like Dan Walsh's opinion whether this addition fits into what the 
 SELinux guys want or not. Dan?
 
 Patch looks fine though.
 

I like this patch, and I have seen people saying we have this capability in
RHEL7  :^(

Currently people in a sysvinit scripts are using runcon for similar features.
 And as someone described handling of java, mono, erlang type scripts where
the command is not easy to differentiate.

We also allow people to do something similar with sudo.  ROLE=unconfined_r
TYPE=unconfined_t.

I would prefer if app writers do not start hard coding SELinux contexts into
the unit files, but allowing administrators or third parties like openshift to
override I do not have a problem with it.

It could allow a administrator to say run this script as unconfined_t, which
may or may not cause other problems.

We might want to allow more granularity on this then just context.Since we
allow sudo to specify role and type and we allow runcon to specify all fields
of SELinux.

BTW Use dwa...@redhat.com for my email, not my private (Not so private) home
email.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLFlCoACgkQrlYvE4MpobMVZgCghr6UOCybitcKKqV5HKISjKDc
EhoAn36vppR/4zrjhBeyypzlWqawDxdn
=3jEw
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/18/2013 05:45 PM, Michal Sekletar wrote:
 On Mon, Nov 18, 2013 at 04:19:20PM -0500, Daniel J Walsh wrote: On
 11/16/2013 08:10 AM, Lennart Poettering wrote:
 On Thu, 14.11.13 15:43, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 11/14/2013 12:50 PM, Harald Hoyer wrote:
 On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
 On 11/05/2013 12:22 PM, Lennart Poettering wrote:
 
 Ok lets add a check that checks for start on a service labeled
 with the remote process label, then we can add rules like
 
 allow systemd_logind_t self:service start
 
 Or we can make it simpler and have the local end check against
 the init_t process.
 
 allow systemd_logind_t init_t:service start;
 
 Which is probably a better solution, if we have no way of 
 differentiating the services.
 
 Machineid usually runs as init_t now.
 
 systemd-run runs as the label of the process that executes it, 
 Usually unconfined_t, and sysadm_t.
 
 
 has any solution been found for this?
 
 seems like one is needed for 
 https://bugzilla.redhat.com/show_bug.cgi?id=1008864
 
 
 I guess the question I have is do you expect a patch from me?  Or
 are you guys working on it?  I would go with the checking based on
 process label.
 
 I am hoping for a patch for this!
 
 Thanks,
 
 Lennart
 
 
 This patch adds a new call for SELINUX_SNAPSHOT_ACCESS_CHECK, because I 
 believe this error will happen when a snapshot is created.  Also now pass
 in system when doing a system check, if it is doing a service check and
 does not pass in a unit file we will default the target to the label that
 systemd is running with.
 
 Hi,
 
 Maybe I am missing something but isn't this about transient units in
 general, i.e. what about StartTransient()? What is going to change in
 this case after applying this patch? tclass will be system since in
 SELINUX_ACCESS_CHECK you now pass system as path and you will set
 tclass in else branch to system which is afaik same as before.
 
In the current code, passing a unit_file of NULL (StartTransients has a NULL
UnitFile) will indicate that it should do a system check.  My patch is
intended to change this so a NULL UnitFile will indicate that systemd should
check the access between the calling process label and the current process
label for a service access.  Where as the SELINUX_ACCESS_CHECK will now pass
a system flag to the function to make it do a system check.
 On the side note, you forgot to define SELINUX_SNAPSHOT_ACCESS_CHECK as
 do {} while (false) in case if we don't HAVE_SELINUX.
 
 It might be the case that I completely misunderstood what's this about,
 in such case ignore this email.
 
 Michal
 

Thanks added  SELINUX_SNAPSHOT_ACCESS_CHECK as do {} while (false) in case if
we don't HAVE_SELINUX.

Updated patch.

snip

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKLbaEACgkQrlYvE4MpobPMMACeNeyrC3OBhx99DZ+JzOtV1ykZ
PvMAoJfiYBoJRBFgh2+FyOV+tNTuojNU
=9I5G
-END PGP SIGNATURE-
From b372b48016f5c015b34db9f53b7a54a64a5a84e8 Mon Sep 17 00:00:00 2001
From: Dan Walsh dwa...@redhat.com
Date: Mon, 18 Nov 2013 15:52:37 -0500
Subject: [PATCH] Fix SELinux check for snapshot and transitent unit creation.

SELinux does not have a path to check for a snapshot or transient
unit files service creation.  Currently systemd does a bogus check.

If we don't have a unit file for a snapshot or transient unit we i
should check if the remote process label, has the required access
for a service with the SELinux label that systemd is running with.

Add SELINUX_SNAPSHOT_ACCESS_CHECK for non SELinux environments
---
 src/core/dbus-manager.c   |  2 +-
 src/core/selinux-access.c |  9 +
 src/core/selinux-access.h | 13 +
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 747bcfc..a60a568 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1112,7 +1112,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
 dbus_bool_t cleanup;
 Snapshot *s;
 
-SELINUX_ACCESS_CHECK(connection, message, start);
+SELINUX_SNAPSHOT_ACCESS_CHECK(connection, message, start);
 
 if (!dbus_message_get_args(
 message,
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index c7e951c..af34b9e 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -374,8 +374,9 @@ int selinux_access_check(
 goto finish;
 }
 
-if (path) {
-tclass = service;
+
+tclass = service;
+if (path  strneq(path,system, strlen(system))) {
 /* get the file context of the unit file */
 r = getfilecon(path, fcon);
 if (r  0

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/16/2013 08:10 AM, Lennart Poettering wrote:
 On Thu, 14.11.13 15:43, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 11/14/2013 12:50 PM, Harald Hoyer wrote:
 On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
 On 11/05/2013 12:22 PM, Lennart Poettering wrote:
 
 Ok lets add a check that checks for start on a service labeled with
 the remote process label, then we can add rules like
 
 allow systemd_logind_t self:service start
 
 Or we can make it simpler and have the local end check against the
 init_t process.
 
 allow systemd_logind_t init_t:service start;
 
 Which is probably a better solution, if we have no way of
 differentiating the services.
 
 Machineid usually runs as init_t now.
 
 systemd-run runs as the label of the process that executes it,
 Usually unconfined_t, and sysadm_t.
 
 
 has any solution been found for this?
 
 seems like one is needed for 
 https://bugzilla.redhat.com/show_bug.cgi?id=1008864
 
 
 I guess the question I have is do you expect a patch from me?  Or are you
 guys working on it?  I would go with the checking based on process
 label.
 
 I am hoping for a patch for this!
 
 Thanks,
 
 Lennart
 

This patch adds a new call for SELINUX_SNAPSHOT_ACCESS_CHECK, because I
believe this error will happen when a snapshot is created.  Also now pass in
system
when doing a system check, if it is doing a service check and does not pass in
a unit file we will default the target to the label that systemd is running 
with.

How does this patch look?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKKhFgACgkQrlYvE4MpobNd1ACbBrwtl5T/CEhCttI9QZ3IZbes
k8UAoODr9J6D0CoyZfpdpvILU7QpxOD2
=0zYK
-END PGP SIGNATURE-
From d8e5784f64a68580f136b99cd5e3fd173586312f Mon Sep 17 00:00:00 2001
From: Dan Walsh dwa...@redhat.com
Date: Mon, 18 Nov 2013 15:52:37 -0500
Subject: [PATCH] Fix SELinux check for snapshot creation.

SELinux does not have a path to check for a snapshot servic creation.
This ends up giving us a bogus check.

On snapshot creation we should check if the remote process type, has the ability to start a service with the type that systemd is running with.
---
 src/core/dbus-manager.c   |  2 +-
 src/core/selinux-access.c |  9 +
 src/core/selinux-access.h | 12 
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 747bcfc..a60a568 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1112,7 +1112,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
 dbus_bool_t cleanup;
 Snapshot *s;
 
-SELINUX_ACCESS_CHECK(connection, message, start);
+SELINUX_SNAPSHOT_ACCESS_CHECK(connection, message, start);
 
 if (!dbus_message_get_args(
 message,
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index c7e951c..af34b9e 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -374,8 +374,9 @@ int selinux_access_check(
 goto finish;
 }
 
-if (path) {
-tclass = service;
+
+tclass = service;
+if (path  strneq(path,system, strlen(system))) {
 /* get the file context of the unit file */
 r = getfilecon(path, fcon);
 if (r  0) {
@@ -384,9 +385,9 @@ int selinux_access_check(
 log_error(Failed to get security context on %s: %m,path);
 goto finish;
 }
-
 } else {
-tclass = system;
+if (path)
+tclass = system;
 r = getcon(fcon);
 if (r  0) {
 dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Failed to get current context.);
diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
index 2d7ac64..53bb9b0 100644
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -36,6 +36,18 @@ int selinux_access_check(DBusConnection *connection, DBusMessage *message, const
 DBusConnection *_c = (connection);  \
 DBusMessage *_m = (message);\
 dbus_error_init(_error);   \
+_r = selinux_access_check(_c, _m, system, (permission), _error); \
+if (_r  0) \
+return bus_send_error_reply(_c, _m, _error, _r); \
+} while (false)
+
+#define SELINUX_SNAPSHOT_ACCESS_CHECK(connection, message, permission) \
+do {\
+DBusError _error

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/14/2013 12:50 PM, Harald Hoyer wrote:
 On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
 On 11/05/2013 12:22 PM, Lennart Poettering wrote:
 
 Ok lets add a check that checks for start on a service labeled with the
 remote process label, then we can add rules like
 
 allow systemd_logind_t self:service start
 
 Or we can make it simpler and have the local end check against the init_t
 process.
 
 allow systemd_logind_t init_t:service start;
 
 Which is probably a better solution, if we have no way of differentiating
 the services.
 
 Machineid usually runs as init_t now.
 
 systemd-run runs as the label of the process that executes it,  Usually 
 unconfined_t, and sysadm_t.
 
 
 has any solution been found for this?
 
 seems like one is needed for
 https://bugzilla.redhat.com/show_bug.cgi?id=1008864
 

I guess the question I have is do you expect a patch from me?  Or are you guys
working on it?  I would go with the checking based on process label.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKFNdUACgkQrlYvE4MpobNuXACg1eKUvMGKMv5zuwKHDvj44K+F
L6gAn3sQtD0QvGUUmJWRGRSolZTdOqN0
=pYrx
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] selinux: fix selinux check for transient units

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/04/2013 02:05 PM, Lennart Poettering wrote:
 On Mon, 04.11.13 17:06, Lennart Poettering (lenn...@poettering.net) wrote:
 
 On Thu, 31.10.13 15:51, Vaclav Pavlin (vpav...@redhat.com) wrote:
 
 From: Václav Pavlín vpav...@redhat.com
 
 Sorry, I don't understand what this patch is doing. Please explain in a 
 commit message!
 
 Hmm, so, here's another idea. The transient units are created by a client
 process. We could easily determine the label of that client process.
 Wouldn't it a better approach to calculate the label of the transient units
 somehow from the client process' label? This way wouldn't need any
 additional systemd-specific infrastructure in libselinux.
 
 Dan, could that work?
 
 Lennart
 
I suppose it would.  The only label we have the the clients is the process 
label.

What process types create these runtime objects and what do they request to do
with them?

Currently systemd asks for permissions on system class and service class, where
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
halt
reboot
status
undefined
enable
disable
reload
}

class service
{
start
stop
status
reload
kill
load
enable
disable
}

Do we have to add a rule like

allow sysadm_t networkmanager_t:service start;

Were networkmanager_t is a process type?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJ3/gsACgkQrlYvE4MpobPWbQCfWElx/pR6cOjQKM1Ad0cE/eU1
cAcAoJ1k49KbB143/NJH/DEfl0aRLhnn
=eao5
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] FYI setroubleshoot has better integration with journald in F20

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

http://danwalsh.livejournal.com/65777.html

I think we need  a

systemctl status -verbose httpd


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlH7vtoACgkQrlYvE4MpobO1CwCguI7lgjY5nTOixl+F00quSEf3
IXwAnRvz3n0EQxmtTYbe2o1lwyR3WC0O
=rqqR
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] FYI setroubleshoot has better integration with journald in F20

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/02/2013 11:49 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On Fri, Aug 02, 2013 at 04:36:15PM +0200, Tomasz Torcz wrote:
 On Fri, Aug 02, 2013 at 10:14:50AM -0400, Daniel J Walsh wrote:
 http://danwalsh.livejournal.com/65777.html
 
 I think we need  a
 
 systemctl status -verbose httpd
 --full is not enough? journalctl has recently learned to output properly
 indented multiline messages...
 
 SELinux hints look like perfect fit for existing ”-x” switch.
 Not really, because setroubleshoot crafts a specific message for each AVC.
 It *could* be done, by outputting separate structured messages from each of
 the setroubleshoot plugins, and adding the message template from each
 plugin to the catalog, so that then journalctl could fill them in. But that
 would tie setroubleshoot very closely to journalctl, and I'm not sure what
 the gain would be.
 
 Zbyszek
 
Well I am looking for the user to see the entire multi-line message when running

systemctl status UNITFILE

Since this is where we want them to look first.

Maybe have a comment at the bottom of systemctl status UNITFILE, that says

run

systemctl status --full UNITFILE

to see full message.

In the future when we eliminate the setroubleshoot.xml file and fully use the
journal as our backing store, we can talk about that.  The biggest thing would
be for setroubleshoot to know if it saw the message before.  Basically have a
signature that it could look up.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlH7/1oACgkQrlYvE4MpobO99ACdEyHvkUbJ+WCSF/5JMi8haFkl
zpQAnjRuv23cZtrLUtbLUJWcrwDIt/ua
=Wyqu
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] We are working on trying to scale up to 1000 containers.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

One concern we have is what will happen to systemd if we start 1000 services
at boot.

systemctl start httpd_sandbox.target

For example.

Is there anything we can do to throttle the start of so many unit files.  Or
would systemd do something itself.

This will probably cause libvirt problems also.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHAXGkACgkQrlYvE4MpobNXfgCgkT3Sd9XgV387b5GDLuGyweIO
K0oAn16rai7GjT9NVI6MK7534qnLRf13
=zmnm
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] udev hwdb: Store binary database in libdir, not in /etc

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/17/2013 04:50 PM, Lennart Poettering wrote:
 On Mon, 17.06.13 22:12, Tom Gundersen (t...@jklm.no) wrote:
 
 The only case, where this scheme would fail, is if you backup and 
 restore a system to a different partitioning scheme.
 
 I agree with Lennart that we don't want this scheme, but rather something
 predictable.
 
 How about Colin's suggestion of putting hwdb.bin (and similar files that
 cannot always be in /var/cache) in /etc/cache? Or if anyone have the
 stomach for a huge fight, try to convince everyone of the usefulness of
 /cache?
 
 Well, this is about very few files only. AFAICS only systemd/udev, kmod, 
 ld.so need binary caches around this early during boot. It sounds a bit
 like overkill to introduce an entirely new root level hierarchy for that.
 
 Note that beyond caches there are a number of non-text-files in /etc. For
 example /etc/localtime, /etc/selinux/targeted/policy/policy.27,
 /etc/pki/*.db, /etc/aliases.db, /etc/ld.so.cache, /etc/prelink.cache and so
 on. I am not convinced that text file vs. binary file is the best check to
 decide whether something belongs in /etc or not.
 
 Lennart
 
One of these days I plan on getting the policy file out of /etc and into
/usr/lib/selinux,  But any customizations by the admin or other packages would
end up putting content into /etc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlG/fLgACgkQrlYvE4MpobPmQQCfeKqc3i3+JxaNMPFOxccPLesi
q/EAniJUO5bYv+Ei9B5YPJpgZdtt3GoF
=R+DF
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Any movement on adding a pid indicator for setroubleshoot to add to the journal entry.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Really would like to be able to track an alert back to the causing pid.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGI7dgACgkQrlYvE4MpobMxgACgpFVhYWfQiy5fABCzKLzzYqUb
/swAoONAcKkF74MV9LpQZNGjrcRCIZvj
=VYzt
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Any movement on adding a pid indicator for setroubleshoot to add to the journal entry.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/07/2013 08:22 AM, Kay Sievers wrote:
 On Tue, May 7, 2013 at 2:04 PM, Daniel J Walsh dwa...@redhat.com wrote:
 
 Really would like to be able to track an alert back to the causing pid.
 
 You mean the: * introduce generic AUGMENT_PID=, AUGMENT_DEVICE= fields item
 in the TODO list, right?
 
 A facility that one process can submit information really belonging to 
 another one, to the journal. In your case the setroubleshoot PID logs 
 something about the apache service, and if we query the status of apache we
 get that setroubleshoot logs along with the logs that originated from
 apache, right?
 
 How do we handle the trust here? Allow that augmentation only for 
 privileged processes?
 
 Kay
 
Yes I would only allow priv processes to do this, I guess eventually we could
add an SELinux check to this and maybe a capability check like, CAP_SYSLOG?

But for now, just check that the UID==0 of the process doing an AUGMENT_PID.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGI9PwACgkQrlYvE4MpobMqVwCeIf5WDUy/HX1Ft2o8GFlZYaza
t/wAmgPTn+EX6h8PYGcR9tYuZjRjVeI2
=WW6I
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/06/2013 09:08 AM, Lennart Poettering wrote:
 On Thu, 14.02.13 07:16, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 Welcome to Fedora 19 (Rawhide)!
 
 Set hostname to lincoln3. /dev/mapper/control: mknod failed: Operation
 not permitted Failure to communicate with kernel device-mapper driver. 
 Check that device-mapper is available in the kernel. [  OK  ] Listening
 on Delayed Shutdown Socket. [  OK  ] Reached target Swap. [  OK  ]
 Reached target Local File Systems. [  OK  ] Listening on Journal Socket. 
 Starting Recreate Volatile Files and Directories... Starting Journal
 Service... [  OK  ] Started Journal Service. [  OK  ] Started Recreate
 Volatile Files and Directories. [  OK  ] Reached target System
 Initialization. [  OK  ] Listening on D-Bus System Message Bus Socket. [
 OK  ] Reached target Sockets. [  OK  ] Reached target Basic System. 
 Starting The Apache HTTP Server... [  OK  ] Started The Apache HTTP
 Server. [  OK  ] Reached target Sandbox multi-user target. Failed to
 issue method call: Unit chronyd.service is not loaded.
 
 
 As you can see, it looks like systemd is attempting to start some lvm
 stuff and crond.  Any ideas on where this stuff is being started?  I want
 neither to run within the container.
 
 Is this still relevant?
 
 LVM is probably invoked from the fedora units for it. You might be able to
 mask them. Or you might be able to convince the LVM folks to conditionalize
 them somehow, for example via ConditionVirtualization=!container or
 ConditionCapabilities=CAP_MKNOD or so.
 
 The crond unit you should be able to simply disable.
 
 Lennart
 


Well I still have the LVM Problem

  /dev/mapper/control: mknod failed: Operation not permitted
  Failure to communicate with kernel device-mapper driver.
  Check that device-mapper is available in the kernel.
Default target could not be isolated, starting instead: Operation refused,
unit may not be isolated.

Everything else seems to be working fine now.



# systemctl list-units
UNIT   LOAD   ACTIVE SUB   DESCRIPTION
- -.mountloaded active mounted   /
boot.mount loaded active mounted   /boot
dev-ptmx.mount loaded active mounted   /dev/ptmx
etc-fstab.mountloaded active mounted   /etc/fstab
etc-hostname.mount loaded active mounted   /etc/hostname
etc-httpd.mountloaded active mounted   /etc/httpd
etc-libvirt\x2dsandbox-scratch.mount   loaded active mounted
/etc/libvirt-sandbox/scratch
etc-machine\x2did.mountloaded active mounted   
/etc/machine-id
etc-rc.d.mount loaded active mounted   /etc/rc.d
etc-systemd-system.mount   loaded active mounted
/etc/systemd/system
home.mount loaded active mounted   /home
proc-meminfo.mount loaded active mounted   /proc/meminfo
root.mount loaded active mounted   /root
run-libvirt-lxc-dan1.mount loaded active mounted
/run/libvirt/lxc/dan1
run-user-3267-gvfs.mount   loaded active mounted
/run/user/3267/gvfs
tmp.mount  loaded active mounted   Temporary
Directory
usr-lib-syste...naconda.target.wants.mount loaded active mounted
/usr/lib/systemd/system/anaconda.target.wa
usr-lib-syste...m-basic.target.wants.mount loaded active mounted
/usr/lib/systemd/system/basic.target.wants
usr-lib-syste...l\x2dfs.target.wants.mount loaded active mounted
/usr/lib/systemd/system/local-fs.target.wa
usr-lib-syste...x2duser.target.wants.mount loaded active mounted
/usr/lib/systemd/system/multi-user.target.
usr-lib-syste...sockets.target.wants.mount loaded active mounted
/usr/lib/systemd/system/sockets.target.wan
usr-lib-syste...sysinit.target.wants.mount loaded active mounted
/usr/lib/systemd/system/sysinit.target.wan
var-lib-nfs-rpc_pipefs.mount   loaded active mounted   RPC Pipe
File System
var.mount  loaded active mounted   /var
dbus.service   loaded active running   D-Bus
System Message Bus
httpd.service  loaded active running   The Apache
HTTP Server
systemd-journald.service   loaded active running   Journal 
Service
systemd-logind.service loaded active running   Login Service
systemd-tmpfiles-setup.service loaded active exitedRecreate
Volatile Files and Directories
dbus.socketloaded active running   D-Bus
System Message Bus Socket
systemd-journald.socketloaded active running   Journal 
Socket
systemd-shutdownd.socket   loaded active listening Delayed
Shutdown Socket
dev-dm

[systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Welcome to Fedora 19 (Rawhide)!

Set hostname to lincoln3.
  /dev/mapper/control: mknod failed: Operation not permitted
  Failure to communicate with kernel device-mapper driver.
  Check that device-mapper is available in the kernel.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Reached target Swap.
[  OK  ] Reached target Local File Systems.
[  OK  ] Listening on Journal Socket.
 Starting Recreate Volatile Files and Directories...
 Starting Journal Service...
[  OK  ] Started Journal Service.
[  OK  ] Started Recreate Volatile Files and Directories.
[  OK  ] Reached target System Initialization.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
 Starting The Apache HTTP Server...
[  OK  ] Started The Apache HTTP Server.
[  OK  ] Reached target Sandbox multi-user target.
Failed to issue method call: Unit chronyd.service is not loaded.


As you can see, it looks like systemd is attempting to start some lvm stuff
and crond.  Any ideas on where this stuff is being started?  I want neither to
run within the container.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEc1YkACgkQrlYvE4MpobMGQwCfT/jvY0w4QzdNl/ppCwmCtIDk
HSAAoInIj7gwN88KJEEy1AHVOtaC7Qsg
=mtsv
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Simple question.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/26/2013 08:07 PM, David Strauss wrote:
 On Fri, Jan 25, 2013 at 12:42 PM, Mantas Mikulėnas graw...@gmail.com
 wrote:
 That some users may want to take advantage of modern Linux features and
 run httpd without *ever* giving it full root privileges – which it needs
 for precisely two things, bind() and setuid().
 
 That's another reason why socket activation is great for server
 environments.
 
 -- David Strauss | da...@davidstrauss.net | +1 512 577 5827 [mobile] 
 ___ systemd-devel mailing list 
 systemd-devel@lists.freedesktop.org 
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 
I am trying to implement the OpenShift model using Secure Linux Containers.
Each Gear/User in an OpenShift environment has an apache service listening on
port 8080 (I believe) on a localhost IPAddress.  The host machine also has an
apache service running on port 80, When packets come into the host the apache
service sends them to the correct gear/apache server.

Currently this is done by using some complicated scripting and limited file
system namespace separation.  I am interested if we could prototype this
environment using a full Linux Container environment, where each one of the
gears lives in a separate container, with its own systemd, and apache service,
running as the users UID.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEJHVIACgkQrlYvE4MpobPwLQCeOXFm4Su19hjrdglWmOXMzA7a
u64AoIHSBufUuld8Pj467Zv1rkA3YJYC
=ZIZo
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] selinux-access: Delete debugging message logged as an error

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/24/2013 10:47 PM, Lennart Poettering wrote:
 On Thu, 24.01.13 17:47, Colin Walters (walt...@verbum.org) wrote:
 
 I don't see why this should be logged at all, so let's delete it.
 
 Applied. I also removed a couple of other messages that appear a bit too 
 much to me.
 
 Lennart
 
I agree those should be deleted.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlECiDMACgkQrlYvE4MpobNSpgCgrfOB5oonk6FtPBFRIakQeBh7
FvcAn36Fr4ZAiMkfA3LnQnh74PiEq1jT
=ZCMu
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Simple question.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How would I write a unit file to run an apache service as the user dwalsh (3267)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlECthIACgkQrlYvE4MpobNjEQCffDaCsrGq13sqNtJ+FKTLzMvy
3twAn0ST0oF8g8XG7ZQefjRhHwJzlAnN
=2qMt
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] setroubleshoot integration.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2013 11:55 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On Wed, Jan 09, 2013 at 05:44:02PM +0100, Zbigniew Jędrzejewski-Szmek
 wrote:
 On Wed, Jan 09, 2013 at 11:00:36AM -0500, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 One of my goals with setroubleshoot analysys is to get it integrated
 into the journald system.
 
 In Fedora I am adding
 
 systemd.journal.send(siginfo.format_text())
 
 Which will put the setroubleshoot info into the journal, but what I
 really need is to add a key for the process id that created the journal
 entry.
 
 We had talked about this a while ago with the goal of allowing
 something like
 
 systemctl httpd status  SELinux is blocking httpd read access on
 /var/www/index.html setroubleshoot ... run restorecon
 /var/www/index.html
 
 The only way for systemd to know the setroubleshoot analysys is for
 httpd is to include the pid when setroubleshoot writes the journal.
 Hi,
 
 the way that finding messages pertaining to a certain service works
 currently is encoded in src/share/logs-show.c, function
 show_journal_by_unit: - journald adds _SYSTEMD_UNIT=... when it can to
 messages generated by the services themselves - systemd (PID 1) writes
 messages about services with UNIT=... and journalds tags them with
 _PID=1 - COREDUMP writes messages with COREDUMP_UNIT=...
 
 I think it would be realitively to extend show_journal_by_unit() to
 check
 ^relatively easy
 for messages with _SYSTEMD_UNIT=setroubleshootd.service (or whatever) and
 UNIT=... Would this work for you? This would require setroubleshootd to
 find out the unit name on its own. Actually, this might be for the
 better, since by the time that journald gets the message, the PID might
 be long gone, and setroubleshootd has more knowledge.
 A second part would be support for multiline messages. This is another 
 story.
 
 Zbyszek
 

Well I got two problems, then.  How does setroubleshoot figure out which unit
file is associated with a pid?  (From python).  And if the pid is not
associated with a unit file but with a User or something else (systemd
itself),  what should I do?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDtqVkACgkQrlYvE4MpobNIggCeMZKTjZJJnWEaU3nGi89HZmJK
SdEAoKhh/x2T+f2uOydgjCMBxHz3oYoq
=gtQC
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] setroubleshoot integration.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2013 01:42 PM, Zbigniew Jędrzejewski-Szmek wrote:
 On Wed, Jan 09, 2013 at 12:31:05PM -0500, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/09/2013 11:55 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On Wed, Jan 09, 2013 at 05:44:02PM +0100, Zbigniew Jędrzejewski-Szmek 
 wrote:
 On Wed, Jan 09, 2013 at 11:00:36AM -0500, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 One of my goals with setroubleshoot analysys is to get it
 integrated into the journald system.
 
 In Fedora I am adding
 
 systemd.journal.send(siginfo.format_text())
 
 Which will put the setroubleshoot info into the journal, but what
 I really need is to add a key for the process id that created the
 journal entry.
 
 We had talked about this a while ago with the goal of allowing 
 something like
 
 systemctl httpd status  SELinux is blocking httpd read access
 on /var/www/index.html setroubleshoot ... run restorecon 
 /var/www/index.html
 
 The only way for systemd to know the setroubleshoot analysys is
 for httpd is to include the pid when setroubleshoot writes the
 journal.
 Hi,
 
 the way that finding messages pertaining to a certain service works 
 currently is encoded in src/share/logs-show.c, function 
 show_journal_by_unit: - journald adds _SYSTEMD_UNIT=... when it can
 to messages generated by the services themselves - systemd (PID 1)
 writes messages about services with UNIT=... and journalds tags them
 with _PID=1 - COREDUMP writes messages with COREDUMP_UNIT=...
 
 I think it would be realitively to extend show_journal_by_unit() to 
 check
 ^relatively easy
 for messages with _SYSTEMD_UNIT=setroubleshootd.service (or whatever)
 and UNIT=... Would this work for you? This would require
 setroubleshootd to
 Probably SYSTEMD_UNIT would be better here.
 
 find out the unit name on its own. Actually, this might be for the 
 better, since by the time that journald gets the message, the PID
 might be long gone, and setroubleshootd has more knowledge.
 A second part would be support for multiline messages. This is another
  story.
 
 Zbyszek
 
 
 Well I got two problems, then.  How does setroubleshoot figure out which
 unit file is associated with a pid?  (From python).
 We could either expose the C functions (sd_pid_get_session is already
 public, and it would be nice to add a Python interface, 
 shortened_cgroup_path could be easily made public, cg_pid_get_unit is not
 public yet either), or create a rewrite in Python and put it in the
 systemd-python package, or even do nothing and let each user rewrite it.
 
 I think option two would be easiest, but maybe option one is worth 
 pursuing. Option two would be a bit more work, but might help keep things
 synchronized in the future. Yeah, it seems best, since the combined work
 required to rewrite sd_pid_get_session, shortened_cgroup_path, and
 cg_pid_get_unit is pretty big.
 
 And if the pid is not associated with a unit file but with a User or
 something else (systemd itself),  what should I do?
 I think just duplicate journald logic: add SYSTEMD_SESSION,
 SYSTEMD_OWNER_UID if possible, or nothing.
 
 Zbyszek
 
Sounds good, but is this something I should open a bugzilla for?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDtvOYACgkQrlYvE4MpobMsJgCgiP8/7031ZK+3+xeoK1hY5dOw
jkEAnRMa+JPe4J292ejRADWKCUB8M5tF
=hdWy
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] setroubleshoot integration.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2013 02:49 PM, Lennart Poettering wrote:
 On Wed, 09.01.13 17:44, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl)
 wrote:
 
 systemctl httpd status  SELinux is blocking httpd read access on
 /var/www/index.html setroubleshoot ... run restorecon
 /var/www/index.html
 
 The only way for systemd to know the setroubleshoot analysys is for
 httpd is to include the pid when setroubleshoot writes the journal.
 Hi,
 
 the way that finding messages pertaining to a certain service works
 currently is encoded in src/share/logs-show.c, function
 show_journal_by_unit: - journald adds _SYSTEMD_UNIT=... when it can to
 messages generated by the services themselves - systemd (PID 1) writes
 messages about services with UNIT=... and journalds tags them with
 _PID=1 - COREDUMP writes messages with COREDUMP_UNIT=...
 
 I think it would be realitively to extend show_journal_by_unit() to
 check for messages with _SYSTEMD_UNIT=setroubleshootd.service (or
 whatever) and UNIT=... Would this work for you? This would require
 setroubleshootd to find out the unit name on its own. Actually, this
 might be for the better, since by the time that journald gets the
 message, the PID might be long gone, and setroubleshootd has more
 knowledge.
 
 Oh, uhm, I was envisioning a much simpler, more generic solution for this.
 Something as simple as this:
 
 We'd define a new special field OBJECT_PID. If this is included in a 
 message, and that message comes from a privileged service, then journald 
 will automatically add in OBJECT_EXE, OBJECT_UID, OBJECT_COMM, OBJECT_UNIT
 ... from /proc.
 
 That way, all setroubleshoot would have to do is add this one property to
 its messages, and systemd would do the rest. In fact, not only 
 setroubleshoot could make use of that. For example, PolicyKit might too.
 Much like setroubleshoot it needs to log messages about specific processes
 (in this case clients), and could benefit from implicit augmentation of the
 message by journald.
 
 Eventually we might want to add the same for OBJECT_DEVICE or so, in case
 device managers want to logs things about devices or so.
 
 Implementation of this scheme on the systemd side should be fairly simple,
 but even more so on the setroubleshoot side.
 
 Does this make sense?
 
 Lennart
 
I like the idea, (Less work for me. )
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDty9QACgkQrlYvE4MpobNyxgCgx+Yr84oc4w4BSeENar/9Sp60
nOkAn0tzQ1G2fkh+UFp1MIZkdh6rhIWt
=wPGg
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] setroubleshoot integration.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2013 04:52 PM, Zbigniew Jędrzejewski-Szmek wrote:
 On Wed, Jan 09, 2013 at 02:58:12PM -0500, Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 01/09/2013 02:49 PM, Lennart Poettering wrote:
 On Wed, 09.01.13 17:44, Zbigniew Jędrzejewski-Szmek
 (zbys...@in.waw.pl) wrote:
 
 systemctl httpd status  SELinux is blocking httpd read access
 on /var/www/index.html setroubleshoot ... run restorecon 
 /var/www/index.html
 
 The only way for systemd to know the setroubleshoot analysys is
 for httpd is to include the pid when setroubleshoot writes the
 journal.
 Hi,
 
 the way that finding messages pertaining to a certain service works 
 currently is encoded in src/share/logs-show.c, function 
 show_journal_by_unit: - journald adds _SYSTEMD_UNIT=... when it can
 to messages generated by the services themselves - systemd (PID 1)
 writes messages about services with UNIT=... and journalds tags them
 with _PID=1 - COREDUMP writes messages with COREDUMP_UNIT=...
 
 I think it would be realitively to extend show_journal_by_unit() to 
 check for messages with _SYSTEMD_UNIT=setroubleshootd.service (or 
 whatever) and UNIT=... Would this work for you? This would require 
 setroubleshootd to find out the unit name on its own. Actually, this 
 might be for the better, since by the time that journald gets the 
 message, the PID might be long gone, and setroubleshootd has more 
 knowledge.
 
 Oh, uhm, I was envisioning a much simpler, more generic solution for
 this. Something as simple as this:
 
 We'd define a new special field OBJECT_PID. If this is included in a 
 message, and that message comes from a privileged service, then
 journald will automatically add in OBJECT_EXE, OBJECT_UID, OBJECT_COMM,
 OBJECT_UNIT ... from /proc.
 OK, that would work too. How is a privileged service defined?
 
 Zbyszek
 
UID=0 for now I would guess, until I hack into it with SELinux...

 That way, all setroubleshoot would have to do is add this one property
 to its messages, and systemd would do the rest. In fact, not only 
 setroubleshoot could make use of that. For example, PolicyKit might
 too. Much like setroubleshoot it needs to log messages about specific
 processes (in this case clients), and could benefit from implicit
 augmentation of the message by journald.
 
 Eventually we might want to add the same for OBJECT_DEVICE or so, in
 case device managers want to logs things about devices or so.
 
 Implementation of this scheme on the systemd side should be fairly
 simple, but even more so on the setroubleshoot side.
 
 Does this make sense?
 
 Lennart
 
 I like the idea, (Less work for me. )

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDt6RYACgkQrlYvE4MpobPgggCdG7oEeE709xl9qG7PzoEzChwi
UZIAoL4CQkLOFpsM8Y1szdGHA5uWOeF8
=X7fb
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] I added the uuid to match a container to /var/log/journal

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ls -l /var/log/journal/
total 12
drwxr-xr-x. 2 root root 12288 Nov 16 08:47 1b16d5a8cec649e7ba7d9f9f6ef8f393
lrwxrwxrwx. 1 root root52 Nov 13 15:24 1f9684eeed2d43d3bfee702a89f849d6 -
/var/lib/libvirt/filesystems/apache1/var/log/journal
lrwxrwxrwx. 1 root root48 Nov 13 15:29 99f38a5c9bfd46bab46cc8e2685bee65 -
/var/lib/libvirt/filesystems/dan/var/log/journal


How would I go about viewing the log file in journalctl?

Also in talks about containers, a discussion came up about using syslog to off
load container logs to a centralized server.  Is there a way to collect the
data from journald/containers into the host systems syslog?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCmS8QACgkQrlYvE4MpobPR3wCfcidpc7OJf8pJHNv8fwumeFSH
4ZQAn3jBn/9w9bAU5+cJlGzYNQ1aBLLo
=tfYR
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] I have switched libvirt-sandbox containers to use multi-user.target

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The only problem I see is that now sysV init scripts are firing off within the
container. (iSCSI daemon).  What can I do to stop this within the container?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCmTG4ACgkQrlYvE4MpobNS8ACgqJU1ADDnId43Roa2H1x0c81c
p1gAnjn1glOuV4vfHsmWl7IyN6yNyCOB
=dgtw
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] I have switched libvirt-sandbox containers to use multi-user.target

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/16/2012 02:56 PM, Lennart Poettering wrote:
 On Fri, 16.11.12 09:23, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 The only problem I see is that now sysV init scripts are firing off
 within the container. (iSCSI daemon).  What can I do to stop this within
 the container?
 
 Services such as the iscsi daemon which one can sort in the driver 
 category should never run in containers I believe. To automaticalky
 execution of these services in containers you can use
 ConditionVirtualization (as Colin already suggested).
 ConditionVirtualization=!container should do the job. (See systemd.unit(5)
 for details).
 
 That said, iscsid on Fedora currently is still a sysv script, which is a 
 bit disappointing, and there's hence no place to add 
 ConditionVirtualization=. My recommendation would be to get the iscsi folks
 to convert it into a systemd unit file, they should do that anyway soon.
 But as a temporary work-around you could just mask the unit in your
 container. Just add a symlink to /dev/null for 
 /etc/systemd/system/iscsi.service and it will mask the sysv service and 
 make it entirely unavailable. See this for details:
 
 http://0pointer.de/blog/projects/three-levels-of-off.html
 
 That said, manually masking things in the container in your script really
 is hacky, and I am pretty sure the better way is to get iscsid fixed to
 become a native systemd unit file that usese ConditionVirtualization to
 disable itself in a container.
 
 Lennart
 
Isn't there a way to shut off systemV init scripts altogether, it just so
happens that we hit one on my machine.  But in the field a customer could have
an init script and then setup containers and systemd will attempt to start it.
 I want a way to say don't run SysV Init scripts altogether.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCmnNgACgkQrlYvE4MpobNKyQCcCIVQS/FuvOg3wWYi6AvgFMAw
mI4AnA14UHY47GUd1uQROjDXmlv1TmDT
=Ew3x
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] SELinux patch still broken, in that we are not checking the correct source context.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This patch does the dbus calls correctly.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB3NOUACgkQrlYvE4MpobOFCACgvMzYDOUYb+THKlSZF2+RcSfD
8R8AnRgG1DMDW0XkH/raf+W4ctXLdL6L
=zUUU
-END PGP SIGNATURE-
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index d9c3f9b..974e9fe 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -59,7 +59,11 @@ static int bus_get_selinux_security_context(
 DBusError *error) {
 
 _cleanup_dbus_message_unref_ DBusMessage *m = NULL, *reply = NULL;
+	DBusMessageIter iter, sub;
+	char *bytes;
+	int nbytes;
 
+log_debug(GetConnectionSELinuxSecurityContext);
 m = dbus_message_new_method_call(
 DBUS_SERVICE_DBUS,
 DBUS_PATH_DBUS,
@@ -85,11 +89,21 @@ static int bus_get_selinux_security_context(
 if (dbus_set_error_from_message(error, reply))
 return -EIO;
 
-if (!dbus_message_get_args(
-reply, error,
-DBUS_TYPE_STRING, scon,
-DBUS_TYPE_INVALID))
-return -EIO;
+if (!dbus_message_iter_init (reply, iter))
+		return -EIO;
+
+if (dbus_message_iter_get_arg_type (iter) != DBUS_TYPE_ARRAY)
+		return -EIO;
+
+	dbus_message_iter_recurse (iter, sub);
+	dbus_message_iter_get_fixed_array (sub, bytes, nbytes);
+
+	*scon = calloc(1, nbytes + 1);
+	if (!*scon)
+return -ENOMEM;
+	strncpy(*scon, bytes, nbytes);
+
+log_debug(GetConnectionSELinuxSecurityContext %s (pid %ld), *scon, (long) bus_get_unix_process_id(connection, name, error));
 
 return 0;
 }
@@ -293,14 +307,17 @@ static int get_calling_context(
 */
 sender = dbus_message_get_sender(message);
 if (sender) {
+log_error(SELinux Got Sender %s, sender);
+
 r = bus_get_selinux_security_context(connection, sender, scon, error);
 if (r = 0)
 return r;
 
-log_debug(bus_get_selinux_security_context failed %m);
-dbus_error_free(error);
+log_error(bus_get_selinux_security_context failed %m);
+return r;
 }
 
+log_debug(SELinux No Sender);
 if (!dbus_connection_get_unix_fd(connection, fd)) {
 log_error(bus_connection_get_unix_fd failed %m);
 return -EINVAL;
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] selabel_lookup_raw can return ENOENT and be a non failure mode.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEUEARECAAYFAlB3NV8ACgkQrlYvE4MpobP7wwCY6mI+73m3XXJk2xtrjTloWoIG
VgCgo7xK8/EuGzBdKs7lXAWYYRi923M=
=nqZY
-END PGP SIGNATURE-
diff --git a/src/shared/label.c b/src/shared/label.c
index 2062fc3..d353da5 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -186,7 +186,7 @@ int label_context_set(const char *path, mode_t mode) {
 return 0;
 
 r = selabel_lookup_raw(label_hnd, filecon, path, mode);
-if (r  0)
+if (r  0  errno != ENOENT)
 r = -errno;
 else if (r == 0) {
 r = setfscreatecon(filecon);
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Latest SELinux patch off of 760c85c0bdf02d68589971b869f61038e7893d75

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBls7MACgkQrlYvE4MpobPaUgCg4rejxmHdP7jkO38+KR/31ONL
lGYAn36W0Hi80AX1UCfXyLyBJDW8C3AO
=UTqj
-END PGP SIGNATURE-
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 5edb09a..732fcbf 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -252,9 +252,22 @@ static int audit_callback(void *auditdata, security_class_t cls,
 {
 struct auditstruct *audit = (struct auditstruct *) auditdata;
 snprintf(msgbuf, msgbufsize,
- name=\%s\ cmdline=\%s\ auid=%d uid=%d gid=%d,
- audit-path, audit-cmdline, audit-loginuid,
+ auid=%d uid=%d gid=%d,
+ audit-loginuid,
  audit-uid, audit-gid);
+
+if (audit-path) {
+		strncat(msgbuf, path=\, msgbufsize);
+		strncat(msgbuf, audit-path, msgbufsize);
+		strncat(msgbuf,\, msgbufsize);
+}
+
+if (audit-cmdline) {
+		strncat(msgbuf, cmdline=\, msgbufsize);
+		strncat(msgbuf, audit-cmdline, msgbufsize);
+		strncat(msgbuf,\, msgbufsize);
+}
+
 return 0;
 }
 
@@ -295,7 +308,7 @@ static int access_init(void) {
 int r = -1;
 
 if (avc_open(NULL, 0)) {
-log_full(LOG_ERR, avc_open failed: %m\n);
+log_error(avc_open failed: %m);
 return -errno;
 }
 
@@ -329,13 +342,12 @@ static int selinux_init(Manager *m, DBusError *error) {
 /* if not first time is not set, then initialize access */
 r = access_init();
 if (r  0) {
-dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Unable to initialize SELinux.);
-
+dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Failed to initialize SELinux.);
 return r;
 }
-first_time = 0;
 }
 
+first_time = 0;
 return 0;
 }
 
@@ -392,6 +404,7 @@ static int get_calling_context(
 
 const char *sender;
 int r;
+int fd;
 
 /*
If sender exists then
@@ -401,17 +414,22 @@ static int get_calling_context(
 sender = dbus_message_get_sender(message);
 if (sender) {
 r = bus_get_selinux_security_context(connection, sender, scon, error);
-if (r  0)
-return -EINVAL;
-} else {
-int fd;
-r = dbus_connection_get_unix_fd(connection, fd);
-if (! r)
-return -EINVAL;
+if (r == 0)
+return 0;
 
-r = getpeercon(fd, scon);
-if (r  0)
-return -errno;
+log_debug(bus_get_selinux_security_context failed %m);
+}
+
+r = dbus_connection_get_unix_fd(connection, fd);
+if (! r) {
+log_error(bus_connection_get_unix_fd failed %m);
+return -EINVAL;
+}
+
+r = getpeercon(fd, scon);
+if (r  0) {
+log_error(getpeercon failed %m);
+return -errno;
 }
 
 return 0;
@@ -461,15 +479,18 @@ static int selinux_access_check(DBusConnection *connection, DBusMessage *message
 audit.path = path;
 
 r = get_calling_context(connection, message, scon, error);
-if (r != 0)
+if (r != 0) {
+log_error(Failed to get caller's security context on: %m);
 goto finish;
-
+}
 if (path) {
 tclass = service;
 /* get the file context of the unit file */
 r = getfilecon(path, fcon);
 if (r  0) {
-log_full(LOG_ERR, Failed to get security context on: %s %m\n,path);
+dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Failed to get file context on %s., path);
+r = -errno;
+log_error(Failed to get security context on: %s %m,path);
 goto finish;
 }
 
@@ -477,7 +498,9 @@ static int selinux_access_check(DBusConnection *connection, DBusMessage *message
 tclass = system;
 r = getcon(fcon);
 if (r  0) {
-dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Unable to get current context, SELinux policy denies access.);
+dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Failed to get current context.);
+r = -errno;
+log_error(Failed to get current process context on: %m);
 goto finish;
 }
 }
@@ -488,16 +511,12 @@ static int selinux_access_check(DBusConnection *connection, 

Re: [systemd-devel] Latest SELinux patch off of 760c85c0bdf02d68589971b869f61038e7893d75

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Another attempt with potential buffer overflow bug fixed.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBlw1oACgkQrlYvE4MpobMLFwCfduUwrF8RRyOHGwVFxsQZZwzM
JysAoKEpmEqbUTh85Cc/7gKiYyZZy0CY
=Hsk7
-END PGP SIGNATURE-
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 5edb09a..79909be 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -252,9 +252,15 @@ static int audit_callback(void *auditdata, security_class_t cls,
 {
 struct auditstruct *audit = (struct auditstruct *) auditdata;
 snprintf(msgbuf, msgbufsize,
- name=\%s\ cmdline=\%s\ auid=%d uid=%d gid=%d,
- audit-path, audit-cmdline, audit-loginuid,
- audit-uid, audit-gid);
+ auid=%d uid=%d gid=%d%s%s%s%s%s%s,
+ audit-loginuid,
+ audit-uid, audit-gid,
+ (audit-path ?  path=\ : ),
+ (audit-path ?: ),
+ (audit-path ? \ : ),
+ (audit-cmdline ?  cmdline=\ : ),
+ (audit-cmdline ?: ),
+ (audit-cmdline ? \ : ));
 return 0;
 }
 
@@ -295,7 +301,7 @@ static int access_init(void) {
 int r = -1;
 
 if (avc_open(NULL, 0)) {
-log_full(LOG_ERR, avc_open failed: %m\n);
+log_error(avc_open failed: %m);
 return -errno;
 }
 
@@ -329,13 +335,12 @@ static int selinux_init(Manager *m, DBusError *error) {
 /* if not first time is not set, then initialize access */
 r = access_init();
 if (r  0) {
-dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Unable to initialize SELinux.);
-
+dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Failed to initialize SELinux.);
 return r;
 }
-first_time = 0;
 }
 
+first_time = 0;
 return 0;
 }
 
@@ -392,6 +397,7 @@ static int get_calling_context(
 
 const char *sender;
 int r;
+int fd;
 
 /*
If sender exists then
@@ -401,17 +407,22 @@ static int get_calling_context(
 sender = dbus_message_get_sender(message);
 if (sender) {
 r = bus_get_selinux_security_context(connection, sender, scon, error);
-if (r  0)
-return -EINVAL;
-} else {
-int fd;
-r = dbus_connection_get_unix_fd(connection, fd);
-if (! r)
-return -EINVAL;
+if (r == 0)
+return 0;
 
-r = getpeercon(fd, scon);
-if (r  0)
-return -errno;
+log_debug(bus_get_selinux_security_context failed %m);
+}
+
+r = dbus_connection_get_unix_fd(connection, fd);
+if (! r) {
+log_error(bus_connection_get_unix_fd failed %m);
+return -EINVAL;
+}
+
+r = getpeercon(fd, scon);
+if (r  0) {
+log_error(getpeercon failed %m);
+return -errno;
 }
 
 return 0;
@@ -461,15 +472,18 @@ static int selinux_access_check(DBusConnection *connection, DBusMessage *message
 audit.path = path;
 
 r = get_calling_context(connection, message, scon, error);
-if (r != 0)
+if (r != 0) {
+log_error(Failed to get caller's security context on: %m);
 goto finish;
-
+}
 if (path) {
 tclass = service;
 /* get the file context of the unit file */
 r = getfilecon(path, fcon);
 if (r  0) {
-log_full(LOG_ERR, Failed to get security context on: %s %m\n,path);
+dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Failed to get file context on %s., path);
+r = -errno;
+log_error(Failed to get security context on: %s %m,path);
 goto finish;
 }
 
@@ -477,7 +491,9 @@ static int selinux_access_check(DBusConnection *connection, DBusMessage *message
 tclass = system;
 r = getcon(fcon);
 if (r  0) {
-dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Unable to get current context, SELinux policy denies access.);
+dbus_set_error(error, DBUS_ERROR_ACCESS_DENIED, Failed to get current context.);
+r = -errno;
+log_error(Failed to get current process context on: %m);
 goto finish;
 }
 }
@@ -488,16 +504,12 @@ static int 

[systemd-devel] New SELinux Patch to fix gettys not starting and poweroff/reboot commands from userspace working.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lots of new debugging/Error messages, to figure out what was failing.

Fix audit messages to not add cmdline of path if it does not exist.

Fix handling of initilization of selinux libraries.

Use log_error instead of log_full(LOG_ERROR

If bus_get_selinux_security_context fails, try to get the PID of the remote
connection and use this to get security context.

Set r -errno when the error happens, not on exit.

Use selinux_getenforce() rather then relying on global, since the global is
not always up2date.

Call multiple dbus_message_get_args to try to get name field.  One with three
params, one with two and one with one.  dbus-manager needs to be cleaned up,
and then we could change SELinux patch to take either a unit file or just a 
path.

Stop returning errors, if SELinux can not complete checks.  We can probably
turn this back on, but I wanted to make sure systemd would work in the field
before tightening this up.

You also need an updated SELINux policy to make this work.

selinux-policy-3.11.1-24.fc18.noarch
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBhECMACgkQrlYvE4MpobOv1ACfdXIAZ0WVim8I3wRAK2IlsLcB
150An0e8+Uv/EkPZWzrtytURUIOvwvDC
=uv/J
-END PGP SIGNATURE-
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 8513634..9587065 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -252,9 +252,22 @@ static int audit_callback(void *auditdata, security_class_t cls,
 {
 struct auditstruct *audit = (struct auditstruct *) auditdata;
 snprintf(msgbuf, msgbufsize,
- name=\%s\ cmdline=\%s\ auid=%d uid=%d gid=%d,
- audit-path, audit-cmdline, audit-loginuid,
+ auid=%d uid=%d gid=%d,
+ audit-loginuid,
  audit-uid, audit-gid);
+
+if (audit-path) {
+		strncat(msgbuf, path=\, msgbufsize);
+		strncat(msgbuf, audit-path, msgbufsize);
+		strncat(msgbuf,\, msgbufsize);
+}
+
+if (audit-cmdline) {
+		strncat(msgbuf, cmdline=\, msgbufsize);
+		strncat(msgbuf, audit-cmdline, msgbufsize);
+		strncat(msgbuf,\, msgbufsize);
+}
+
 return 0;
 }
 
@@ -295,7 +308,7 @@ static int access_init(void) {
 int r = -1;
 
 if (avc_open(NULL, 0)) {
-log_full(LOG_ERR, avc_open failed: %m\n);
+log_error(avc_open failed: %m);
 return -errno;
 }
 
@@ -329,13 +342,13 @@ static int selinux_init(Manager *m, DBusError *error) {
 /* if not first time is not set, then initialize access */
 r = access_init();
 if (r  0) {
-dbus_set_error(error, BUS_ERROR_ACCESS_DENIED, Unable to initialize SELinux.);
+dbus_set_error(error, BUS_ERROR_ACCESS_DENIED, Failed to initialize SELinux.);
 
 return r;
 }
-first_time = 0;
 }
 
+first_time = 0;
 return 0;
 }
 
@@ -392,6 +405,7 @@ static int get_calling_context(
 
 const char *sender;
 int r;
+int fd;
 
 /*
If sender exists then
@@ -401,17 +415,22 @@ static int get_calling_context(
 sender = dbus_message_get_sender(message);
 if (sender) {
 r = bus_get_selinux_security_context(connection, sender, scon, error);
-if (r  0)
-return -EINVAL;
-} else {
-int fd;
-r = dbus_connection_get_unix_fd(connection, fd);
-if (! r)
-return -EINVAL;
+if (r == 0)
+return 0;
 
-r = getpeercon(fd, scon);
-if (r  0)
-return -errno;
+log_debug(bus_get_selinux_security_context failed %m);
+}
+
+r = dbus_connection_get_unix_fd(connection, fd);
+if (! r) {
+log_error(bus_connection_get_unix_fd failed %m);
+return -EINVAL;
+}
+
+r = getpeercon(fd, scon);
+if (r  0) {
+log_error(getpeercon failed %m);
+return -errno;
 }
 
 return 0;
@@ -461,15 +480,18 @@ static int selinux_access_check(DBusConnection *connection, DBusMessage *message
 audit.path = path;
 
 r = get_calling_context(connection, message, scon, error);
-if (r != 0)
+if (r != 0) {
+log_error(Failed to get caller's security context on: %m);
 goto finish;
-
+}
 if (path) {
 tclass = service;
 /* get the file context of the unit file */
 r = getfilecon(path, fcon);
 if (r  0) {
-log_full(LOG_ERR, Failed to get security 

[systemd-devel] No TTY and inability to shutdown/reboot from user session

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Seems to be SELinux patch is causing systemd-logind not to be able to send
dbus message to systemd.

In the logs I see this message

Sep 21 16:57:39 celtics systemd-logind[874]: System is powering down.
Sep 21 16:57:39 celtics systemd-logind[874]: Failed to issue method call:
Resource temporarily unavailable

Which looks like the dbus call is failing.  I believe this is the same problem.

I have to run but will continue to work on this on Monday.  Any ideas on what
could cause it?


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBc1ucACgkQrlYvE4MpobOgZQCgtOIVhfSwF6hcMuogizP+KR34
4sEAn1CGXefCBWCWr2zLUrggzuHfKrxX
=CxxD
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Latest SELinux Access Patch.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This patch adds the ability to look at the calling process that is trying to
do dbus calls into systemd, then it checks with the SELinux policy to see if
the calling process is allowed to do the activity.

The basic idea is we want to allow NetworkManager_t to be able to start and
stop ntpd.service, but not necessarly mysqld.service.

Similarly we want to allow a root admin webadm_t that can only manage the
apache environment.  systemctl enable httpd.service, systemctl disable
iptables.service bad.

To make this code cleaner, we really need to refactor the dbus-manager.c code.
 This has just become a huge if-then-else blob, which makes doing the correct
check difficult.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5
lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco
=yops
-END PGP SIGNATURE-
diff --git a/Makefile.am b/Makefile.am
index ae775c8..654bf67 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -944,6 +944,8 @@ libsystemd_core_la_SOURCES = \
 	src/core/dbus-path.h \
 	src/core/cgroup.c \
 	src/core/cgroup.h \
+	src/core/selinux-access.c \
+	src/core/selinux-access.h \
 	src/core/selinux-setup.c \
 	src/core/selinux-setup.h \
 	src/core/ima-setup.c \
diff --git a/src/core/bus-errors.h b/src/core/bus-errors.h
index 04c1b28..dca7824 100644
--- a/src/core/bus-errors.h
+++ b/src/core/bus-errors.h
@@ -43,6 +43,7 @@
 #define BUS_ERROR_TRANSACTION_ORDER_IS_CYCLIC org.freedesktop.systemd1.TransactionOrderIsCyclic
 #define BUS_ERROR_SHUTTING_DOWN org.freedesktop.systemd1.ShuttingDown
 #define BUS_ERROR_NO_SUCH_PROCESS org.freedesktop.systemd1.NoSuchProcess
+#define BUS_ERROR_ACCESS_DENIED org.freedesktop.systemd1.AccessDenied
 
 static inline const char *bus_error(const DBusError *e, int r) {
 if (e  e-message)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index c341d36..9df02e6 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -30,6 +30,7 @@
 #include build.h
 #include dbus-common.h
 #include install.h
+#include selinux-access.h
 #include watchdog.h
 #include hwclock.h
 #include path-util.h
@@ -564,6 +565,9 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
 dbus_error_init(error);
 
 member = dbus_message_get_member(message);
+r = selinux_manager_access_check(connection, message, m, error);
+if (r)
+return bus_send_error_reply(connection, message, error, r);
 
 if (dbus_message_is_method_call(message, org.freedesktop.systemd1.Manager, GetUnit)) {
 const char *name;
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index ad817d7..3008ea8 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -26,6 +26,7 @@
 #include dbus-unit.h
 #include bus-errors.h
 #include dbus-common.h
+#include selinux-access.h
 
 const char bus_unit_interface[] _introspect_(Unit) = BUS_UNIT_INTERFACE;
 
@@ -411,9 +412,19 @@ static DBusHandlerResult bus_unit_message_dispatch(Unit *u, DBusConnection *conn
 JobType job_type = _JOB_TYPE_INVALID;
 char *path = NULL;
 bool reload_if_possible = false;
+int r;
 
 dbus_error_init(error);
 
+r = selinux_unit_access_check(
+connection,
+message,
+m,
+(u-fragment_path ? u-fragment_path: u-source_path),
+error);
+if (r)
+return bus_send_error_reply(connection, message, error, r);
+
 if (dbus_message_is_method_call(message, org.freedesktop.systemd1.Unit, Start))
 job_type = JOB_START;
 else if (dbus_message_is_method_call(message, org.freedesktop.systemd1.Unit, Stop))
@@ -434,7 +445,6 @@ static DBusHandlerResult bus_unit_message_dispatch(Unit *u, DBusConnection *conn
 const char *swho;
 int32_t signo;
 KillWho who;
-int r;
 
 if (!dbus_message_get_args(
 message,
@@ -479,7 +489,6 @@ static DBusHandlerResult bus_unit_message_dispatch(Unit *u, DBusConnection *conn
 const char *smode;
 JobMode mode;
 Job *j;
-int r;
 
 if ((job_type == JOB_START  u-refuse_manual_start) ||
 (job_type == JOB_STOP  u-refuse_manual_stop) ||
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
new file mode 100644
index 000..30eab68
--- /dev/null
+++ b/src/core/selinux-access.c
@@ -0,0 +1,710 @@
+
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2012 Dan Walsh
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU General Public License as published by
+  the 

Re: [systemd-devel] Not sure if I am doing something wrong or if this is a bug.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/03/2012 03:45 PM, Lennart Poettering wrote:
 On Mon, 30.07.12 17:13, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 In containers we are blocking systemd from creating containers.  If I try
 to run httpd within a container it asks for PrivateTmp and SELinux stops
 systemd from setting up the PrivateTmp.  In order to get around this, I
 decided to try to create a unit file based off of the httpd unit file.
 
 cat /etc/systemd/system/sandbox.target.wants/httpd.service
 
 Files in .wants/ directory should be symlinks (since they just are used to
 express deps, not the actual services). Hence you want to place this 
 service file in /etc/systemd/system/httpd.service and then make 
 /etc/systemd/system/sandbox.target.wants/httpd.service a symlink to it.
 
 And then use systemctl daemon-reload to actviate these changes. And use
 systemctl show httpd.service to check whether your changes were properly
 applied.
 
 Lennart
 
Yes I figured this all out last week.  It now seems to work pretty well.
Hopefull new versions of libvirt and libvirt-sandbox get pushed into Rawhide
this week, so we can get people playing with this.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAfzEsACgkQrlYvE4MpobN8UgCfX6PYDgalQvTas57pIMk9l/Jl
7sgAnApiyv/NzY1m8N/PaNjUaYl8XAMz
=x1Tu
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Not sure if I am doing something wrong or if this is a bug.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/30/2012 10:08 PM, Mathieu Bridon wrote:
 On Mon, 2012-07-30 at 21:49 +, Jóhann B. Guðmundsson wrote:
 On 07/30/2012 09:13 PM, Daniel J Walsh wrote:
 Is this failing to see the /etc/systemd/system/httpd.service file?  Or
 is the include failing?
 
 Include might failing since there is currently no way to replace existing
 entry with another one.
 
 You can easily confirm or deny if that's the case by simply copy the 
 existing unit and set PrivateTmp to false
 
 You can also run systemctl show httpd.service
 
 It should show you both the full path to the unit file (so you can make 
 sure that the one in /etc is used) as well as the value of PrivateTmp.
 
 I'm sure you did, but just to be extra cautious: did you daemon-reload 
 after adding the file in /etc?
 
 
Ok I think it is working.  Thanks for the hints on commands, I did not know
show would tell you the config.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAZlTsACgkQrlYvE4MpobOpXACcDpGnuANaXhRjvvGxok/51RwB
CUUAoMYO/cN8i51uYY8+N75EOB0A1yGY
=ZFTE
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Not sure if I am doing something wrong or if this is a bug.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In containers we are blocking systemd from creating containers.  If I try to
run httpd within a container it asks for PrivateTmp and SELinux stops systemd
from setting up the PrivateTmp.  In order to get around this, I decided to try
to create a unit file based off of the httpd unit file.

 cat /etc/systemd/system/sandbox.target.wants/httpd.service
.include /usr/lib/systemd/system/httpd.service
[Service]
PrivateTmp=false


But running this within a container still blows up

# systemctl start httpd.service
Job failed. See system journal and 'systemctl status' for details.
sh-4.2# systemctl status httpd.service
httpd.service - The Apache HTTP Server
  Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
  Active: failed (Result: exit-code) since Mon, 30 Jul 2012 17:12:37 
-0400;
15s ago
 Process: 152 ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop
(code=exited, status=226/NAMESPACE)
 Process: 153 ExecStart=/usr/sbin/httpd $OPTIONS (code=exited,
status=226/NAMESPACE)
Main PID: 131 (code=exited, status=0/SUCCESS)
  CGroup: name=systemd:/system/libvirtd.service/system/httpd.service

Jul 30 17:12:37 apache2 httpd[153]: Failed at step NAMESPACE spawning /usr/...ed
sh-4.2#


Is this failing to see the /etc/systemd/system/httpd.service file?  Or is the
include failing?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAW+RQACgkQrlYvE4MpobNqHwCgkj7qJJFn6t1G2cDworfpfWjq
4REAoJZ6kZeqCTu2QBZ5nj2//oAVqqdI
=du44
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Looking for comments on this patch.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The goal of this patch is to add the ability for systemd to verify that
SELinux policy allows the calling process to do the specified action.
Start/Stop/Service

This is expanded upon in this Feature Page Article.

https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl

I am having a hard time testing this, and any suggestions welcomed.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAO+00ACgkQrlYvE4MpobPrvQCgsb0XurnGVF31LzO3cvYDYMpl
7+MAoKgFCOOFJAvuMHq19tAg7eE2/Q9n
=c5/D
-END PGP SIGNATURE-
diff --git a/Makefile.am b/Makefile.am
index 27666ea..3d44ab0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -943,6 +943,8 @@ libsystemd_core_la_SOURCES = \
 	src/core/dbus-path.h \
 	src/core/cgroup.c \
 	src/core/cgroup.h \
+	src/core/selinux-access.c \
+	src/core/selinux-access.h \
 	src/core/selinux-setup.c \
 	src/core/selinux-setup.h \
 	src/core/ima-setup.c \
diff --git a/src/core/bus-errors.h b/src/core/bus-errors.h
index 04c1b28..dca7824 100644
--- a/src/core/bus-errors.h
+++ b/src/core/bus-errors.h
@@ -43,6 +43,7 @@
 #define BUS_ERROR_TRANSACTION_ORDER_IS_CYCLIC org.freedesktop.systemd1.TransactionOrderIsCyclic
 #define BUS_ERROR_SHUTTING_DOWN org.freedesktop.systemd1.ShuttingDown
 #define BUS_ERROR_NO_SUCH_PROCESS org.freedesktop.systemd1.NoSuchProcess
+#define BUS_ERROR_ACCESS_DENIED org.freedesktop.systemd1.AccessDenied
 
 static inline const char *bus_error(const DBusError *e, int r) {
 if (e  e-message)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index c341d36..3f6f4af 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -30,6 +30,7 @@
 #include build.h
 #include dbus-common.h
 #include install.h
+#include selinux-access.h
 #include watchdog.h
 #include hwclock.h
 #include path-util.h
@@ -556,6 +557,8 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
 JobType job_type = _JOB_TYPE_INVALID;
 bool reload_if_possible = false;
 const char *member;
+const char *perm;
+int require_unit;
 
 assert(connection);
 assert(message);
@@ -565,6 +568,35 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
 
 member = dbus_message_get_member(message);
 
+selinux_perm_lookup(message, perm, require_unit);
+if (require_unit) {
+const char *name;
+Unit *u;
+
+if (!dbus_message_get_args(
+message,
+error,
+DBUS_TYPE_STRING, name,
+DBUS_TYPE_INVALID))
+return bus_send_error_reply(connection, message, error, -EINVAL);
+
+if (!(u = manager_get_unit(m, name))) {
+dbus_set_error(error, BUS_ERROR_NO_SUCH_UNIT, Unit %s is not loaded., name);
+return bus_send_error_reply(connection, message, error, -ENOENT);
+}
+
+if (u-fragment_path) {
+r = selinux_access_check(connection, message, m, error, perm, u-fragment_path);
+} else {
+r = selinux_access_check(connection, message, m, error, perm, u-source_path);
+}
+if (r != 0)
+return bus_send_error_reply(connection, message, error, r);
+} else {
+r = selinux_access_check(connection, message, m, error, perm, NULL);
+if (r != 0)
+return bus_send_error_reply(connection, message, error, r);
+}
 if (dbus_message_is_method_call(message, org.freedesktop.systemd1.Manager, GetUnit)) {
 const char *name;
 Unit *u;
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 2d2f378..d592211 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -26,6 +26,7 @@
 #include dbus-unit.h
 #include bus-errors.h
 #include dbus-common.h
+#include selinux-access.h
 
 const char bus_unit_interface[] _introspect_(Unit) = BUS_UNIT_INTERFACE;
 
@@ -411,9 +412,21 @@ static DBusHandlerResult bus_unit_message_dispatch(Unit *u, DBusConnection *conn
 JobType job_type = _JOB_TYPE_INVALID;
 char *path = NULL;
 bool reload_if_possible = false;
+int r;
+const char *perm;
+int require_unit;
 
 dbus_error_init(error);
 
+selinux_perm_lookup(message, perm, require_unit);
+if (u-fragment_path) {
+r = selinux_access_check(connection, message, m, error, perm, u-fragment_path);
+} else {
+r = selinux_access_check(connection, message, m, error, perm, u-source_path);
+}
+if (r != 0)
+return 

Re: [systemd-devel] Hosting a sprint in SF?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/09/2012 06:24 PM, Lennart Poettering wrote:
 On Fri, 29.06.12 09:34, David Strauss (da...@davidstrauss.net)
 wrote:
 
 
 On Fri, Jun 29, 2012 at 5:58 AM, Lennart Poettering 
 lenn...@poettering.net wrote:
 It's going to be an LXC/libvirt/systemd/SELinux hackfest, in 
 order to make systemd integrated formidably with containers and
 security subsystems, so that we end up with secure containers
 for Linux that match more closely what Solaris Zones can offer.
 One of the topics we're likely to discuss is journal
 integration for this, so that the journals of the containers
 seemlessly browsable on the host system.
 
 It's going to be the day before LPC, in San Diego, 28th Aug.
 
 The LXC/libvirt part is pretty interesting, and I'd like to learn
 more about selinux.
 
 Is there any interest from OpenShift in participating? They have
 a similar container to Pantheon and have their stuff in the
 Fedora 18 roadmap.
 
 I honestly can't answer that question, since I don#t know. We
 haven't made a lot of advertisements about this hackfest yet. I
 guess i should do that.
 
 Lennart
 

We have been talking to the openshift guys on the side and have
explained what we are doing.  They are interested and will probably be
some of the first people to play with it, once it is ready.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/8JG0ACgkQrlYvE4MpobM7yQCeL/p/e6e3tnRZS27nxERIZdTq
MpsAoIsAl9aSIBT/T/PoIY3TLm3VjtHy
=d1Lu
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Hosting a sprint in SF?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/10/2012 02:33 PM, David Strauss wrote:
 On Tue, Jul 10, 2012 at 5:47 AM, Daniel J Walsh dwa...@redhat.com wrote:
 We have been talking to the openshift guys on the side and have explained
 what we are doing.  They are interested and will probably be some of the
 first people to play with it, once it is ready.
 
 Would any of them be interested in participating in the September sprint?
 Like OpenShift, Pantheon (my company) is focused on using this technology
 for high-density platform services that host user applications.
 
 I understand that Red Hat's policies are pretty strict regarding sprint
 travel, so I'm happy to cover some of the costs there for valuable
 participants. OpenShift developers would certainly qualify.
 
You would need to contact them.  Although I am sure some will be attending.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/80QcACgkQrlYvE4MpobPp3QCgibnFQjOeTIZEPW4b+AyvV+VP
r6MAnRCJ1w+yAmpIiSCD4YgmDyoYZNmN
=qMCd
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Fix systemd-udev labeling of /var/run directory.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/30/2012 08:27 PM, Lennart Poettering wrote:
 On Wed, 30.05.12 23:32, Lennart Poettering (lenn...@poettering.net) wrote:
 
 
 On Wed, 30.05.12 16:13, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 +const char *prefixes[] = { /dev, /var/run, NULL };
 
 Is there a reason this mentions /var/run and not /run?
 
 Otherwise looks good to me!
 
 I have now commited the patch but took the liberty to change /var/run to 
 /run here.
 
 Lennart
 
Yes it has to be /var/run.  The policy is all written with the upstream
/var/run patterns not /run.


# matchpathcon -p /run /run/udev
/run/udev   system_u:object_r:default_t:s0

# matchpathcon -p /var/run /run/udev
/run/udev   system_u:object_r:udev_var_run_t:s0

We have equivalence match between /run - /var/run

But the library for loading initial context does not take this into account.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/HTecACgkQrlYvE4MpobOdIACfWWj1t8wczo9k2iBgill6J8vz
JHUAni/pvi3LsI/d/KXrfb+tJUa0itzH
=Ko7F
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Fix systemd-udev labeling of /var/run directory.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/31/2012 07:01 AM, Lennart Poettering wrote:
 On Thu, 31.05.12 06:54, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 Heya,
 
 On Wed, 30.05.12 16:13, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 +const char *prefixes[] = { /dev, /var/run, NULL };
 
 Is there a reason this mentions /var/run and not /run?
 
 Otherwise looks good to me!
 
 I have now commited the patch but took the liberty to change /var/run
 to /run here.
 
 Lennart
 
 Yes it has to be /var/run.  The policy is all written with the upstream 
 /var/run patterns not /run.
 
 
 # matchpathcon -p /run /run/udev /run/udev
 system_u:object_r:default_t:s0
 
 # matchpathcon -p /var/run /run/udev /run/udev
 system_u:object_r:udev_var_run_t:s0
 
 We have equivalence match between /run - /var/run
 
 But the library for loading initial context does not take this into
 account.
 
 Humm, but it seems wrong encoding in the C code that the policy hasn't been
 updated for the /var/run move yet... [1]
 
 Note that starting with F17 /var/run is unconditionally a symlink now, and
 no longer a bind mount. This means /run is always the right name for this,
 on any level. Isn't it time to update the policy to reflect this?
 
 Hmm, people have noticed that the systemd 184 (with your patch applied) 
 doesn't build on non-Fedora anymore because your patch appears to use a 
 Fedora-only API addition. Will this go upstream any time soon? I feel quite
 uncomfortable leaving this in the state in systemd, effectively breaking
 everybody's but Fedora's build with this?
 
 Thanks,
 
 Lennart
 
 
 Footnotes:
 
 [1] The least we should probably do is include both /var/run and /run in 
 the list...
 
Ok Eric and I will work to get it upstream.  I guess for F18 I can move the
/var/run definition to /run and reverse the equivalence.  But it is probably
best to put /var/run and /run in the list.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/HUEUACgkQrlYvE4MpobPTtgCghCBEH6gpzKUrCEqKHTuSBK68
he0An3l5+X0Csz0kCCUAhSttdCvtMD+p
=/uW0
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Fix systemd-udev labeling of /var/run directory.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/31/2012 07:51 AM, Kay Sievers wrote:
 On Thu, May 31, 2012 at 1:04 PM, Daniel J Walsh dwa...@redhat.com wrote:
 
 Ok Eric and I will work to get it upstream.  I guess for F18 I can move
 the /var/run definition to /run and reverse the equivalence.  But it is
 probably
 
 We have changed udev not do any selinux label magic for /run 
 files/directories now, but only for /dev.
 
 I have reverted the patch for the (unreleased API) /dev, /run prefixes
 list for now. Hopefully we will not need anything like that with the
 current udev code.
 
 Thanks, Kay
Ok if the only content udev creates is in /run/udev and /run/udev is created
with udev_var_run_t, we should be fine.  Should be faster also. (Although
maybe not measurable.)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/HaIsACgkQrlYvE4MpobPDewCfVmZ2cdvcwbed/H+zPPM8qv7v
HTMAoLn1EJ6bcQq19hzgCuFLKeSz6pWl
=25VT
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Fix systemd-udev labeling of /var/run directory.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

systemd-udev is currently incorrectly labeling /run/udev/* content because it is
using selinux prefix labeling of /dev.  This patch will allow systemd-udev to
use prefix labeling of /dev and /run.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/Gf3wACgkQrlYvE4MpobM52wCeNU8iT1e4qIZnGzeDXUoHjG75
EkEAoN9HFxZv+J8HKkhpbRhWNtM8gHnO
=MulB
-END PGP SIGNATURE-
From 779a7148a40f56529821d37ac348abec3b565459 Mon Sep 17 00:00:00 2001
From: Dan Walsh dwa...@redhat.com
Date: Wed, 30 May 2012 15:34:55 -0400
Subject: [PATCH 5/6] Switch to using prefix array rather then single prefix.
 This will allow proper labeling of /dev and /var/run
 (/run) directory from systemd-udev

---
 src/shared/label.c |6 +++---
 src/shared/label.h |2 +-
 src/udev/udevadm.c |4 +++-
 src/udev/udevd.c   |3 ++-
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/shared/label.c b/src/shared/label.c
index 2d7d42a..39c6f03 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -52,7 +52,7 @@ void label_retest_selinux(void) {
 
 #endif
 
-int label_init(const char *prefix) {
+int label_init(const char *prefixes[]) {
 int r = 0;
 
 #ifdef HAVE_SELINUX
@@ -68,9 +68,9 @@ int label_init(const char *prefix) {
 before_mallinfo = mallinfo();
 before_timestamp = now(CLOCK_MONOTONIC);
 
-if (prefix) {
+if (prefixes) {
 struct selinux_opt options[] = {
-{ .type = SELABEL_OPT_SUBSET, .value = prefix },
+{ .type = SELABEL_OPT_SUBSET, .values = prefixes },
 };
 
 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
diff --git a/src/shared/label.h b/src/shared/label.h
index 3f880e3..90b49ff 100644
--- a/src/shared/label.h
+++ b/src/shared/label.h
@@ -26,7 +26,7 @@
 #include stdbool.h
 #include sys/socket.h
 
-int label_init(const char *prefix);
+int label_init(const char *prefixes[]);
 void label_finish(void);
 
 int label_fix(const char *path, bool ignore_enoent);
diff --git a/src/udev/udevadm.c b/src/udev/udevadm.c
index 5217d7f..c7d13f3 100644
--- a/src/udev/udevadm.c
+++ b/src/udev/udevadm.c
@@ -91,6 +91,7 @@ int main(int argc, char *argv[])
 { version, no_argument, NULL, 'V' },
 {}
 };
+const char *prefixes[] = { /dev, /var/run, NULL };
 const char *command;
 unsigned int i;
 int rc = 1;
@@ -102,7 +103,8 @@ int main(int argc, char *argv[])
 log_open();
 log_parse_environment();
 udev_set_log_fn(udev, udev_main_log);
-label_init(/dev);
+
+label_init(prefixes);
 
 for (;;) {
 int option;
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index 0d85960..85d4f66 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -1030,6 +1030,7 @@ int main(int argc, char *argv[])
 int fd_ctrl = -1;
 int fd_netlink = -1;
 int fd_worker = -1;
+const char *prefixes[] = { /dev, /var/run, NULL };
 struct epoll_event ep_ctrl, ep_inotify, ep_signal, ep_netlink, ep_worker;
 struct udev_ctrl_connection *ctrl_conn = NULL;
 int rc = 1;
@@ -1042,7 +1043,7 @@ int main(int argc, char *argv[])
 log_parse_environment();
 udev_set_log_fn(udev, udev_main_log);
 log_debug(version %s\n, VERSION);
-label_init(/dev);
+label_init(prefixes);
 
 for (;;) {
 int option;
-- 
1.7.10.2


___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [HEADSUP] systemd Optimizations

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/13/2012 04:44 PM, Lennart Poettering wrote:
 Heya,
 
 I just put together a first version of a wiki text explaining a couple fo
 ways to improve system boot-up performance even further:
 
 http://freedesktop.org/wiki/Software/systemd/Optimizations
 
 I hope this is useful both to folks working on distributions and those 
 working on appliances to get the most out of systemd. It lists both 
 suggestions that are easily made locally, and changes that need hacking but
 we'd like to go systemd upstream eventually.
 
 We'll try to keep this up to date.
 
 If you do systemd optimization work, this should be the first place to go
 to!
 
 If you have further suggestions for additions to this page please ping us!
 
 Lennart
 

We have added some ability to optimize the loading of file regex in libselinux
in the F17 libraries.  We might want to look at using this to shrink the 100ms
SELinux startup time penalty.  You could use a prefix for /dev, /var/run and
/run, /tmp and eliminate building the regex for all file context under /usr,
/var/ /etc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+xBZgACgkQrlYvE4MpobOkWACfYjM7lW8s+16ecEmHycijYspx
3ioAn30v3qzHR37TB6pLRLd/s6D99R3A
=0Iw0
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [ANNOUNCE] systemd v44

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/19/2012 10:12 AM, Kay Sievers wrote:
 On Mon, Mar 19, 2012 at 15:03, Thierry Reding 
 thierry.red...@avionic-design.de wrote:
 * Daniel J Walsh wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 03/19/2012 07:59 AM, Thierry Reding wrote:
 * Kay Sievers wrote:
 On Sat, Mar 17, 2012 at 15:14, Koen Kooi 
 k...@dominion.thruhere.net wrote:
 
 Op 16 mrt. 2012, om 02:40 heeft Lennart Poettering het
 volgende geschreven:
 
 Heya,
 
 this is primarily a bugfix release (but does include a
 couple of new things) and might be very likely the
 version we'll ship in Fedora 17, unless there's some
 unforeseen bigger bug left to be fixed.
 
 http://cgit.freedesktop.org/systemd/systemd/plain/NEWS 
 http://www.freedesktop.org/software/systemd/systemd-44.tar.xz




 
I get the following error and warnings when crosscompiling for arm:
 
 | src/journal/journald.c: In function 'process_event': | 
 src/journal/journald.c:2147:49: error: 'PAGE_SIZE'
 undeclared (first use in this function)
 
 PATH_MAX might be simpler to use here.
 
 Exactly how long are SELinux labels allowed to be? I couldn't
 find any related constants in any of the headers on my
 system. Alternatively, maybe a more portable way would be to
 use sysconf(_SC_PAGESIZE) here?
 
 Right now they are unlimited, but we are having discussions
 with upstream about potentially picking a limit of around 2k.
 
 What is the time frame for this?
 
 I have been able to generate a worse case label of just over
 5k, in userspace, but this would be limited to around 2k if
 coming from the kernel.
 
 In NON-MlS world, SELinux labels would never be longer then 100
 chars.
 
 In the meantime maybe some constant known to be an absolute
 maximum should be chosen. I don't know if the typical page-size
 of 4K would be enough given that you've been able to generate one
 that is larger. 8K on the other hand seems way too much.
 
 It used to be NAME_MAX 255 in the past, in earlier days of 
 selinux/audit userspace, I think.
 
I think this is a perfectly acceptable number and will satisfy most
cases.  Only in the wacky world of MLS where you could have a huge
number of categories is the not enough, and the MLS world would rely
on the audit.log anyways for this type of information.  Until SELinux
picks a number I would go with a NAME_MAX of 255.

 If longer names should be supported,  PATH_MAX 4096 sounds good to
 me.
 
 If it should be crazy large, XATTR_SIZE_MAX 65536 seems to define
 the upper limit anyway. :)
 
 Kay

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9nQesACgkQrlYvE4MpobPySwCgoMN6j4QTPdHjafQyZnURXaua
3ukAn3HC+Zz0JFD7VXpoYz/QavBYKo1u
=0Ga8
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] dracut: ordering of modules

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/13/2012 05:29 AM, Harald Hoyer wrote:
 Am 13.02.2012 11:17, schrieb Roberto Sassu:
 Hi Harald
 
 this functionality seems to be broken in dracut due to a change
 in the SELinux load_policy tool. After enabling the selinux
 module in dracut, i obtain:
 
 [3.369059] dracut: Loading SELinux policy [3.449850]
 dracut: /sbin/load_policy: Can't load policy: No such file or 
 directory [3.659899] dracut: Switching root
 
 
 This error can have multiple causes... Dan?

Well likeliest would be selinux-policy package is not installed.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85QaIACgkQrlYvE4MpobMNbwCgi8JG0fmlQsnvo2HNnA+Orxzr
UYcAoKqHj0+Ll8lfbYpvGzANxck4MAwP
=geIr
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] We are working on Secure Container Applications.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The idea is to run multiple instances of the same application within a
container.  For example multiple Apache servers.

I am working on a tool to create these containers, which will create a
service unit file.

# virt-sandbox-service create -e /usr/sbin/httpd httpd_sanbox
Created container dir /var/lib/libvirt/filesystems/httpd_sanbox
Created sandbox config /etc/libvirt-sandbox/httpd_sanbox.sandbox
Created unit file /etc/systemd/system/httpd_sanbox.service

One problem we see with this is when the httpd program gets updated,
it runs a systemctl reload httpd.service, to cause the httpd service
to restart.  We would like to get this reload command from systemd
also.

What do you guys think of adding something like the following to the
service unit?

ReloadRequest: httpd.service

Then anyone asking to reload the httpd.service would also cause the
httpd_sandbox.service to get the reload.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LX2IACgkQrlYvE4MpobMoMQCgmwQoZvm68QzFw8iEwdOVD5/p
g3sAoNUB9Hb2YnD5M1Egj6zxj+1f31TL
=C4jm
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] selinux policy updates for logind

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/03/2012 11:02 AM, Bill Nottingham wrote:
 Matthias Clasen (matthias.cla...@gmail.com) said:
 On Wed, Dec 28, 2011 at 9:25 AM, Daniel J Walsh
 dwa...@redhat.com wrote:
 
 Well are you seeing a AVC about local_login_t sending a dbus
 message to systemd?
 
 I don't know, I haven't checked. But the patch fixes the problem,
 and is pretty obvious...
 
 Is this just another case of 
 https://bugzilla.redhat.com/show_bug.cgi?id=759202 ?
 
 Bill
Could be, Matthias, are you still seeing this with the latest
selinux-policy?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8DMyYACgkQrlYvE4MpobMUGACeOh4tUdp8DpvD1J+TSgBf5Ff1
Ot8AoNqEnwbGCcSdHaQOD6DYvlo2W+3g
=xeDz
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] selinux policy updates for logind

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/23/2011 09:16 PM, Matthias Clasen wrote:
 I've spent some time playing with the ConsoleKit-replacement 
 functionality in logind, and noticed that I couldn't test the
 PolicyKit integration for the poweroff/reboot methods in logind,
 since selinux doesn't let my method calls reach their destination.
 
 Matthias
What AVCs are you seeing?
 
 
 diff -up systemd-37/src/org.freedesktop.login1.conf.selinux 
 systemd-37/src/org.freedesktop.login1.conf ---
 systemd-37/src/org.freedesktop.login1.conf.selinux▸‧2011-12-23 
 21:09:32.795513513 -0500 +++
 systemd-37/src/org.freedesktop.login1.conf▸‧2011-12-23 
 21:10:36.456511229 -0500 @@ -69,6 +69,14 @@ 
 send_member=ActivateSession/
 
 allow send_destination=org.freedesktop.login1 +
 send_interface=org.freedesktop.login1.Manager +
 send_member=PowerOff/ + +allow
 send_destination=org.freedesktop.login1 +
 send_interface=org.freedesktop.login1.Manager +
 send_member=Reboot/ + +allow
 send_destination=org.freedesktop.login1 
 send_interface=org.freedesktop.login1.Seat 
 send_member=ActivateSession/ 
 ___ systemd-devel
 mailing list systemd-devel@lists.freedesktop.org 
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk77IBIACgkQrlYvE4MpobNhBQCdFZ0lgAOJQz0M/ApwmqWb0RSA
Dj8An3y/Dja/rT1PmlqDcl8awiCUMuoA
=C5hs
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] SELinux needs labels to be assigned at boot time to /sys

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The only way to do this is by running restorecon over the contents.

We would like to add /sys to the list of directories that systemd
fixes at boot time, just like /dev

https://bugzilla.redhat.com/show_bug.cgi?id=767355

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7nwMoACgkQrlYvE4MpobPXhgCgrFOrRkr/wlgzRE5wKcVg9bvk
FfgAoJI291nd2Oqo1eDBuyAJyT2fgTKU
=LiKB
-END PGP SIGNATURE-
diff -up systemd-37/src/mount-setup.c~ systemd-37/src/mount-setup.c
--- systemd-37/src/mount-setup.c~   2011-08-30 13:21:41.804076227 -0400
+++ systemd-37/src/mount-setup.c2011-12-13 16:10:22.343870192 -0500
@@ -395,6 +395,7 @@ int mount_setup(bool loaded_policy) {
 
 nftw(/dev, nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
 nftw(/run, nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
+nftw(/sys, nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
 
 /* Explicitly relabel these */
 NULSTR_FOREACH(j, relabel)
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] New pam module to start a session.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/14/2011 04:34 AM, Stef Bon wrote:
 Hi,
 
 I've rewritten an existing pam module pam_script. What it does:
 
 . runs a script . unshare the mount namespace (if configured,
 default yes)
 
 if the directory to chroot to is specfied it does also:
 
 . mount all the required directories like bin, lib, usr etcetera. .
 chroot to this directory
 
 See:
 
 git clone git://gitorious.org/pam_script/pam_script.git pam_script 
 cd pam_script
 
 
 Please some comments. Especially the starting of a session, is
 this enough? If you look to the code you'll see that I've copied
 from nspawn.c the check is_os_tree and mount_all functions, and
 adjusted them a bit(is this ok?)
 
 In nspawn a lot more is done but I'm not that familiar with these
 low level operations. So please comment on this.
 
 Stef ___ systemd-devel
 mailing list systemd-devel@lists.freedesktop.org 
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Did you look at extending pam_namespace?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6YL2IACgkQrlYvE4MpobPL9gCeJ4/aKVMKiGoAjD+K5cD7paZR
xocAoJfTC3bYV/0Irzkp34eIwqClDCc4
=yZh7
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/08/2011 08:18 AM, Zbigniew Jędrzejewski-Szmek wrote:
 On 07/08/2011 01:59 PM, Daniel J Walsh wrote:
 On 07/08/2011 07:45 AM, Lennart Poettering wrote:
 On Fri, 08.07.11 10:41, Zbigniew Jdrzejewski-Szmek (zbys...@in.waw.pl) 
 wrote:


 On 07/07/2011 11:17 PM, Lennart Poettering wrote:
 On Thu, 07.07.11 16:52, Daniel J Walsh (dwa...@redhat.com) wrote:

 This has a nasty consequence of breaking logins:
 Jul  7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek 
 from 192.168.122.1 port 51205 ssh2
 Jul  7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: 
 read: Connection reset by peer
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): 
 conversation failed
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No 
 response to query: Would you like to enter a security context? [N] 
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): 
 Unable to get valid context for zbyszek
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session 
 opened for user zbyszek by (uid=0)
 Jul  7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): 
 Authentication failure
 Jul  7 22:17:05 fedora-15 sshd[14264]: Received disconnect from 
 192.168.122.1: 11: disconnected by user

 In case of a login on a tty, the question about a security context
 is displayed on the screen. In case of ssh login, if just fails
 without any message displayed on the remote side.

 Newer versions of libselinux detect if /selinux is read-only and 
 consider
 selinux disabled if it is.
 But why is it disabled _outside_ of the container? This would mean that 
 running
 nspawn disables selinux.

 Hmm?

 No, it's read-only only inside the container. We do that to make sure
 the container cannot modify the selinux policy, since policies cannot be
 virtualized really.
 
 Nope, it becomes read-only outside. Some bug?
 Repeating the commands from the original mail:
 
 [zbyszek@fedora-15 ~]$ mount|grep selinux
 selinuxfs on /selinux type selinuxfs (rw,relatime)  - RW 
 here
 [zbyszek@fedora-15 ~]$ sudo systemd-nspawn -D debian-tree/ /bin/true
 Spawning namespace container on /home/zbyszek/debian-tree (console is 
 /dev/pts/2).
 [zbyszek@fedora-15 ~]$ mount|grep selinux
 selinuxfs on /selinux type selinuxfs (ro,relatime)  - RO 
 now
 
 I have no idea what nspawn does, but if you are turning the /selinux to
 readonly to prevent a root process from mucking with SELinux you are not
 going to be successful.  Since you can mount selinufs somewhere else and
 muck around with it. 
 As I understand, absolute security is not on of the goals of nspawn. It is
 only intended to prevent accidental breakage.
 
 If you want to run all of the processes within the
 nspawn environment under a single label, Like we do with Mock, then
 changing /selinux to read/only with the libselinux in Rawhide will give
 you want you want.  IE All processes within the container think SELinux
 is disabled, while SELinux is actually running all of the processes
 under confinement.
 
 Zbyszek
Lennart, I think to make this work correctly you need to bind mount
/selinux on /selinux, then make the mount point private, then finally
mount selinuxfs on /selinux read/only.  Otherwise since / is shared, the
mounting within the namespace will show up on all namespaces.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4W9loACgkQrlYvE4MpobNREgCgnXFPQDL6rJCPxm1jSRNJor5G
ykQAni8GagyFkLjIwzI8DCOxckSR70Nh
=6I8m
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] nspawn remounts /selinux readonly, thus breaking logins

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/07/2011 04:45 PM, Lennart Poettering wrote:
 On Thu, 07.07.11 22:42, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
 
 Hi,
 on freshly installed fedora-15 system, I've been trying out the nspawn, and
 running systemd-nspawn -D debian-tree/ (i.e. just the shell) seems
 to cause /selinux to be remount ro on the _host_:

 $ rpm -q systemd
 systemd-26-5.fc15.x86_64
 $ mount|grep selinux
 selinuxfs on /selinux type selinuxfs (rw,relatime)
 $ sudo systemd-nspawn -D debian-tree/ /bin/true
 $ mount|grep selinux
 selinuxfs on /selinux type selinuxfs (ro,relatime)

 This has a nasty consequence of breaking logins:
 Jul  7 22:17:05 fedora-15 sshd[14261]: Accepted publickey for zbyszek from 
 192.168.122.1 port 51205 ssh2
 Jul  7 20:17:05 fedora-15 sshd[14262]: fatal: mm_request_receive: read: 
 Connection reset by peer
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): 
 conversation failed
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): No 
 response to query: Would you like to enter a security context? [N] 
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_selinux(sshd:session): Unable to 
 get valid context for zbyszek
 Jul  7 22:17:05 fedora-15 sshd[14261]: pam_unix(sshd:session): session 
 opened for user zbyszek by (uid=0)
 Jul  7 22:17:05 fedora-15 sshd[14261]: error: PAM: pam_open_session(): 
 Authentication failure
 Jul  7 22:17:05 fedora-15 sshd[14264]: Received disconnect from 
 192.168.122.1: 11: disconnected by user

 In case of a login on a tty, the question about a security context
 is displayed on the screen. In case of ssh login, if just fails
 without any message displayed on the remote side.
 
 Newer versions of libselinux detect if /selinux read-only and consider
 selinux as disabled if is.
 
 Lennart
 
Do I need to back port this to F15?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4WHIsACgkQrlYvE4MpobNoGwCg21plu5JCs5wIv5fArvYDmOia
8+4An3FYGs3gsG21yNwkDAThrrV1kOYC
=LoD+
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] readahead-collect.c: ignore EACCES for fanotify

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/25/2011 07:15 AM, Harald Hoyer wrote:
 With this patch and:
 
 # cat myreadahead.te
 
 module myreadahead 1.0;
 
 require {
 type readahead_t;
 type kmsg_device_t;
 class chr_file write;
 }
 
 #= readahead_t ==
 allow readahead_t kmsg_device_t:chr_file write;
 
 # checkmodule -M -m -o myreadahead.mod myreadahead.te
 # semodule_package -o myreadahead.pp -m myreadahead.mod
 # semodule -i myreadahead.pp
 
 
 systemd-readahead-collect finally works with selinux enabled on my
 Fedora 15 machine.
 
 Am 25.05.2011 13:09, schrieb har...@redhat.com:
 From: Harald Hoyerhar...@redhat.com

 At the start of auditd, we are temporarily not able to read
 from the fanotify fd. Ignoring it, seems to work.
 ---
   src/readahead-collect.c |2 +-
   1 files changed, 1 insertions(+), 1 deletions(-)

 diff --git a/src/readahead-collect.c b/src/readahead-collect.c
 index 3c48a02..913a340 100644
 --- a/src/readahead-collect.c
 +++ b/src/readahead-collect.c
 @@ -380,7 +380,7 @@ static int collect(const char *root) {

   if ((n = read(fanotify_fd,data, sizeof(data)))  0) {

 -if (errno == EINTR || errno == EAGAIN)
 +if (errno == EINTR || errno == EAGAIN ||
 errno == EACCES)
   continue;

   log_error(Failed to read event: %m);
 
Fix will be in selinux-policy-3.9.16-25.fc15
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3c+TkACgkQrlYvE4MpobMywQCgw1pacO0CRh7Xlt8m04HeEioc
gKAAoODHLsOxk6FbZQVPlm1vHzFsBngN
=/yK+
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Running a x86_64 kernel on Fedora 15 x86 userland

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/03/2011 01:14 PM, Thomas Meyer wrote:
 
 Am 03.05.2011 um 15:14 schrieb Daniel J Walsh:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 05/02/2011 03:49 PM, Thomas Meyer wrote:
 Hi,

 I try to run a x86_64 kernel on x86 Fedora 15 userland. But systemd get's 
 somehow stuck in the boot process. Any ideas how to debug the problem? What 
 is systemd waiting for?

 I need to boot with selinux=0 as I get some selinux errors (file not found 
 or something like this, strangley these lines doesn't show up in the 
 netconsole log).

 Here is what I could catch via netconsole and systemd.log_level=debug:


 Have you grabbed the latest SELinux policy out of koji for F15?  What
 AVC messages are you seeing?
 
 I don't get an AVC message, so maybe there is not problem with selinux, just 
 with plymouth, that ABRTs.
 
 But I see this:
 
 [7.204437] type=1403 audit(1304471120.046:3): policy loaded 
 auid=4294967295 ses=4294967295
 Unable to fix label of /sys/fs/cgroup/systemd: No such file or directory
 Unable to fix label of /sys/fs/cgroup/cpuset: No such file or directory
 Unable to fix label of /sys/fs/cgroup/cpu: No such file or directory
 Unable to fix label of /sys/fs/cgroup/cpuacct: No such file or directory
 Unable to fix label of /sys/fs/cgroup/devices: No such file or directory
 Unable to fix label of /sys/fs/cgroup/freezer: No such file or directory
 Unable to fix label of /sys/fs/cgroup/net_cls: No such file or directory
 Unable to fix label of /sys/fs/cgroup/blkio: No such file or directory
 [7.828143] 31systemd[1]: Successfully opened /dev/kmsg for logging.
 [7.829998] 30systemd[1]: systemd 25 running in system mode. (+PAM 
 +LIBWRAP +AUDIT +SELINUX +SYSVINIT +LIBCRYPTSETUP; fedora)
 
 I guess systemd tries to relabel these files, but fails somehow!?

Well the cgroup file system does not support labeling yet, so I would
expect systemd-tmpfiles to fail there.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3ARJAACgkQrlYvE4MpobN/0QCgxUh7zBNdelC1rx5J2W9le9OU
ujgAoLtaYkNb/SKVFyUk2pVVlYAcAdLt
=Ax0l
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/29/2011 11:07 AM, Stephen Smalley wrote:
 On Fri, 2011-04-29 at 00:37 +0200, Michał Piotrowski wrote:
 Hi,

 I think it's a very good decision - I never understood why selinux dir
 is directly under /.
 
 I guess I missed some discussion of this.  You'd need to update
 libselinux at least, definition of SELINUXMNT in
 libselinux/src/policy.h, used by selinux_init_load_policy() to mount
 selinuxfs for initial policy load.  And it may break rc scripts and
 other scripts/programs that have become accustomed to /selinux.
 

Here is the patch I am thinking about.

I think mock might need to be updated, maybe livecd tools.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2615cACgkQrlYvE4MpobPYlQCfeB3H0/eTVITUbOkv66/P+0DB
7pAAn3nYJZSDLyJnDv7+VXwTlZQ3TW9R
=2hkb
-END PGP SIGNATURE-
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..43aa296 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -45,6 +45,18 @@ static void init_selinuxmnt(void)
}
} 
 
+   /* We check to see if the original mount point for selinux file
+* system has a selinuxfs. */
+   do {
+   rc = statfs(/selinux, sfbuf);
+   } while (rc  0  errno == EINTR);
+   if (rc == 0) {
+   if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+   selinux_mnt = strdup(/selinux);
+   return;
+   }
+   } 
+
/* Drop back to detecting it the long way. */
fp = fopen(/proc/filesystems, r);
if (!fp)
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..4078f69 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
 * Check for the existence of SELinux via selinuxfs, and 
 * mount it if present for use in the calls below.  
 */
-   if (mount(selinuxfs, SELINUXMNT, selinuxfs, 0, 0)  0  errno != 
EBUSY) {
+   char *mntpoint = NULL;
+   if (mount(selinuxfs, SELINUXMNT, selinuxfs, 0, 0) == 0 || errno == 
EBUSY) {
+   mntpoint = SELINUXMNT;
+   } else { 
+   /* check old mountpoint */
+   if (mount(selinuxfs, /selinux, selinuxfs, 0, 0) == 0 || 
errno == EBUSY) {
+   mntpoint = /selinux;
+   }
+   } 
+
+   if (! mntpoint ) {
if (errno == ENODEV) {
/*
 * SELinux was disabled in the kernel, either
@@ -384,8 +394,8 @@ int selinux_init_load_policy(int *enforce)
}
 
goto noload;
-   }
-   set_selinuxmnt(SELINUXMNT);
+   } 
+   set_selinuxmnt(mntpoint);
 
/*
 * Note:  The following code depends on having selinuxfs 
@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
rc = security_disable();
if (rc == 0) {
/* Successfully disabled, so umount selinuxfs too. */
-   umount(SELINUXMNT);
+   umount(selinux_mnt);
fini_selinuxmnt();
}
/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..76f968e 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -13,7 +13,7 @@
 #define SELINUX_MAGIC 0xf97cff8c
 
 /* Preferred selinux mount location */
-#define SELINUXMNT /selinux
+#define SELINUXMNT /sys/fs/selinux
 
 /* selinuxfs mount point */
 extern char *selinux_mnt;


libselinux-mountpoint.patch.sig
Description: PGP signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] systemd - move /selinux to /sys/fs/selinux - maybe remove /srv ?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/29/2011 06:56 PM, Lennart Poettering wrote:
 On Fri, 29.04.11 00:37, Michał Piotrowski (mkkp...@gmail.com) wrote:
 
 Hi,

 I think it's a very good decision - I never understood why selinux dir
 is directly under /.
 
 Yes, I think this would be a good thing to have in F16.
 
 Note however that this needs a tiny kernel patch to work, to create the
 mount point under /sys/fs/selinux. This is a trivial patch and has been
 done for /sys/fs/cgroup before, so I assume this would be easy to get
 in and just needs a champion to push this forward.
 
 By the way, maybe it would be good to think about the meaning of /srv
 existance? For seven years FHS requires that this directory exists
 http://www.pathname.com/fhs/pub/fhs-2.3.html#PURPOSE16A
 but The methodology used to name subdirectories of /srv is
 unspecified as there is currently no consensus on how this should be
 done - so even the authors of the standard did not have anything to
 say about how this directory should be used. Is there a rational
 reason for the existence of this directory besides FHS conformance?
 
 I think /srv actually makes a lot of sense. Probably not so much on the
 desktop, but the boundaries are blurry, and I see no reason to set
 things up differently in this respect between servers and desktops. I
 see little benefit in removing this directory.
 
 Lennart
 
I think moving /selinux is  a bit more complicated then just a simple
kernel change.  We have libselinux changes, Lots of tools have learned
over the years the path of /selinux and lots of users know about it.

I am willing to work towards the goal of moving /selinux, but I might
end up with a symbolic link if we can not fix all of the problems.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk27RKUACgkQrlYvE4MpobOCoACgvLrAnXtzvxV7ztHP4aiGr8Df
VZ4AnAnqTzUofp62+IHkc9WmTvh74sRE
=NLi7
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] What makes systemd-nspawn not suitable for secure container setups?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/26/2011 01:54 PM, Lennart Poettering wrote:
 On Mon, 25.04.11 20:51, microcai (micro...@fedoraproject.org) wrote:
 
 于 2011年04月25日 20:43, Daniel J Walsh 写道:
 SELinux  would be a good start.

 No, root inside can still change SE-Linux policy.
 
 No. The SELinux policy can forbid reloading the SELinux policy for
 certain users/processes.
 
 SELinux should work fine to secure nspawn containers.
 
 Lennart
 
Right the idea would be to run all processes within te nspawn container
with the same process label, then only allow the access required for the
container.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk23B90ACgkQrlYvE4MpobNUXACgma9He3gGO6tZdv7WVwJaE0oe
mUsAoJ2GMaDRfP7hpflfS3Eqx3wEQKtM
=CqeA
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] What makes systemd-nspawn not suitable for secure container setups?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/22/2011 07:42 PM, Josh Triplett wrote:
 The systemd-nspawn manpage lists the various mechanisms used to isolate
 the container, and then says Note that even though these security
 precautions are taken systemd-nspawn is not suitable for secure
 container setups. Many of the security features may be circumvented and
 are hence primarily useful to avoid accidental changes to the host
 system from the container.
 
 How can a process in a systemd-nspawn container circumvent the container
 setup?  What additional steps would systemd-nspawn need to take to
 provide a secure container setup?
 
 - Josh Triplett
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
SELinux  would be a good start.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk21bFcACgkQrlYvE4MpobNwJwCeO7xqfUTykQGDQsiJj3oAYD/4
4bIAoNJucumKU17lquo/insid7cYwCg9
=H8IP
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 3/4] condition: add ConditionSELinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 06:32 PM, Kay Sievers wrote:
 On Mon, Apr 4, 2011 at 23:39, Michal Schmidt mschm...@redhat.com wrote:
 On Mon, 4 Apr 2011 22:51:55 +0200 Kay Sievers wrote:
 We really need something here that is not tied to the / inode, because
 we want to support r/o / or / on tmpfs with only the subdirs mounted
 from disk. xattrs of / just have the same issues as /.-files, it's
 just a different storage format regarding that problem.

 The key is it would a _per-filesystem_ flag meaning this fs is tainted
 for use with SELinux and needs relabeling.
 The xattr containing the value of the flag would be attached to the
 relative / of every mounted filesystem.

 filesystems mounted ro don't matter, because they cannot get their
 file contexts changed and therefore do not need to be marked tainted.

 mount itself should write the xattr when it mounts the filesystem
 read-write and SELinux is disabled.

 Bill Nottingham noted on IRC that relabeling would then be done by
 systemd in the same pass that handles fsck.
 
 Yeah, sounds good if that works.
 
 The setup we might want to support in the future is that the couple of
 needed / directories are populated by btrfs subvolumes. Something like
 such a flag on the root of the individual subvolume that gets mounted
 might work just fine.
 
 Kay
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
systemd should check if the mount flag includes seclabel field.
before labeling.
If a file system does not support labeling or does is mounted with a
context mount option, the file system will not show the label seclabel.

grep seclabel /proc/self/mountinfo


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2bDkMACgkQrlYvE4MpobN9zQCfWIFyN/v867REStweuQjjFNbi
7ZUAoK8w6DDOz3+B9VYvYENDi6g4MOY0
=jz/r
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH 3/4] condition: add ConditionSELinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/05/2011 08:59 AM, Lennart Poettering wrote:
 On Tue, 05.04.11 08:42, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 systemd should check if the mount flag includes seclabel field.
 before labeling.
 If a file system does not support labeling or does is mounted with a
 context mount option, the file system will not show the label seclabel.

 grep seclabel /proc/self/mountinfo
 
 What happens if we try to relabel those file systems nonetheless? Just errors?
 
 Hmm, we currently only relabel /run and /dev recursively, plus the
 top-level inode of all API file systems we mount. 
 
 I presume devtmpfs and tmpfs do support seclabel, right? Do we really
 have to code a check for this flag? Given that the list of API mount points
 we mount at early boot is pretty much fixed
 (http://cgit.freedesktop.org/systemd/tree/src/mount-setup.c#n51) we
 could just hardcod the invocation of the relabelling per-filesystem.
 
 Do you have any particular file system in mind where we currently
 relabel where we shouldn't?
 
 I'd like to understand what the precise implications of the seclabel
 option are, is there some doc available somewhere? The mount man page
 doesn't mention it... :-(
 
 Lennart
 
SECLABEL is a kernel flag that indicates that the file system supports
extended attributes file labeling.  It is not a mount option.  If you
mount with a context=system_u:object_r:TYPE_T:so flag, then the kernel
will turn off the SECLABEL flag.  The flag will also not show up on file
systems that do not supported extended attributes.

In F14 the rc.sysinit script would execute the fixfiles restore script
if it found a /.autorelabel in the root directory.

fixfiles restore

would then look at ALL mounted file systems that did not have the
SECLABEL flag on them, and fix the labels.

I would recommend that you use fixfiles/setfiles/restorecon to relabel
the file systems you see with the autorelabel flag in them.

I still have a problem with going with the mount command writing the
/.autorelabel flag, in that an admin might want to force a relabel of
his entire file system, he currently just adds /.autorelabel.  I the new
model he would have to go to every file system and put the flag in the
root of the file system.

Or we could continue to have /.autorelabel means force a relabel
everywhere, where as .autorelabel in a file system with out
/.autorelabel will cause just that file system to be relabeled.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2bHBkACgkQrlYvE4MpobNnlQCfXivNMJhs7aZ2kFmiaHhshIU6
ZdEAoOKNjL3vyM87yXfxHWRKdYNw5VKj
=aLG8
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] SELinux support takes up ~15MB of memory?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/06/2011 07:28 PM, Lennart Poettering wrote:
 On Sat, 04.12.10 22:57, Ran Benita (ran...@gmail.com) wrote:
 
 The culprit seems to be selabel_lookup_raw which gets called by
 several functions in label.c (mostly label_mkdir and label_fix).
 These, in turn, seem to compile a great amount of regexes and store
 them in an array in an selabel_handle struct. systemd keeps around
 one called label_hnd (in label.c) in a static global variable for the
 duration of the program.
 This is what I observed from reading label.c in systemd, label_file.c
 in libselinux, and some gdb. But I may have got it completely wrong;
 It seems to keep the entire policy in memory, or something of the
 sort, but I really don't know how it's _supposed_ to work.
 
 This big blob is the policy data. It is loaded the first time we have to
 label something and then stays in memory.
 
 The data must be accessible at runtime hence the only real improvement
 we could do here is if libselinux would be able to share the loaded
 policy in some way, using mmap. But maybe they are already doing this.
 
 Anyway, I think this needs to be optimized more in libselinux than in
 systemd, so I'd encourage you to ping the selinux folks about this!
 
 Lennart
 

Well it is keeping the entire file context tree labeling tree in memory.

The file /etc/selinux/targeted/context/files/file_contexts compiled into
Regexs.  One optimization would be to only load the the directories that
systemd is going to create files in, rather then the hole tree.  For
example I think you can say load only the regex starting with /var if
systemd is only going to create and label content under /var.  This
would cause the size to shring considerably

# wc -l /etc/selinux/targeted/contexts/files/file_contexts
3884 /etc/selinux/targeted/contexts/files/file_contexts

# grep ^/var  /etc/selinux/targeted/contexts/files/file_contexts | wc -l
1028

# grep ^/var/run  /etc/selinux/targeted/contexts/files/file_contexts | wc -l
326
# grep ^/var/lock  /etc/selinux/targeted/contexts/files/file_contexts |
wc -l
10

Taking it a step father, we could decrease it even further.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nIbAACgkQrlYvE4MpobPMdgCeKXgWBeZEOhlPrZYoGyXWbOgR
iHwAnRp6VbQD7n8Kq+o0kJ4mkq3sVs8f
=LzXg
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] SELinux support takes up ~15MB of memory?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/07/2011 09:33 AM, Lennart Poettering wrote:
 On Fri, 07.01.11 09:22, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 The data must be accessible at runtime hence the only real improvement
 we could do here is if libselinux would be able to share the loaded
 policy in some way, using mmap. But maybe they are already doing this.

 Anyway, I think this needs to be optimized more in libselinux than in
 systemd, so I'd encourage you to ping the selinux folks about this!

 Lennart


 Well it is keeping the entire file context tree labeling tree in memory.

 The file /etc/selinux/targeted/context/files/file_contexts compiled into
 Regexs.  One optimization would be to only load the the directories that
 systemd is going to create files in, rather then the hole tree.  For
 example I think you can say load only the regex starting with /var if
 systemd is only going to create and label content under /var.  This
 would cause the size to shring considerably
 
 Hmm, can we start with an empty loaded policy and then load additional
 parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we
 ask libselinux to load /foo/bar, and so on? Most likely 90% of the
 sockets will be in the same dir anyway (/var/run), so after the first
 socket everything we need should be loaded most of the time. However,
 since sockets can be configured dynamically to any place we might need
 to load policy for other areas, too. Hence if we could load hte policy
 bit by bit we should get relatively nice behaviour and only load a
 minimal subset of the policy into memory.
 
 Lennart
 
I think the library functions are there to do this, but you would have
to do the management of the paths.  libselinux I believe does not have
the capability to add a path after the initial load but you could have a
link list of paths connected to blobs of regexes.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nJfUACgkQrlYvE4MpobMc7wCg1zTXuTM3RGw8xdtjHaam6qwh
X4IAoN4A6otCI+FYBvbOMCexyUC/rtbm
=+LZF
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] SELinux support takes up ~15MB of memory?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/07/2011 09:44 AM, Lennart Poettering wrote:
 On Fri, 07.01.11 09:40, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 Hmm, can we start with an empty loaded policy and then load additional
 parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we
 ask libselinux to load /foo/bar, and so on? Most likely 90% of the
 sockets will be in the same dir anyway (/var/run), so after the first
 socket everything we need should be loaded most of the time. However,
 since sockets can be configured dynamically to any place we might need
 to load policy for other areas, too. Hence if we could load hte policy
 bit by bit we should get relatively nice behaviour and only load a
 minimal subset of the policy into memory.

 Lennart

 I think the library functions are there to do this, but you would have
 to do the management of the paths.  libselinux I believe does not have
 the capability to add a path after the initial load but you could have a
 link list of paths connected to blobs of regexes.
 
 So, instead of loading one single policy blob we would basically load a
 number of independent policy blobs, but always only parts of the real
 thing? I guess that is quite doable, though I do wonder how the prefix
 finding algorithm should best look like...
 
 Lennart
 
Yes and you have a speed versus size thing.   Do you want to compile
/var once or /var/lock and /var/run or much worse /var/run/app1 and
/var/run/app2 ...

I would not go above two directories.

If you really want size versus speed you could free the blobs once you
got to a steady state, if you can figure out you are in a steady state.
 And then reload them if you need too.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nLtIACgkQrlYvE4MpobNwcACglha7dxx5qst94OiSmCnNZWf7
SiUAoNhUGB1EKvX9Iu2HPRUFxw46WZ8B
=eciC
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] SELinux support takes up ~15MB of memory?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/07/2011 11:00 AM, Lennart Poettering wrote:
 On Fri, 07.01.11 10:18, Daniel J Walsh (dwa...@redhat.com) wrote:
 
 On 01/07/2011 09:44 AM, Lennart Poettering wrote:
 On Fri, 07.01.11 09:40, Daniel J Walsh (dwa...@redhat.com) wrote:

 Hmm, can we start with an empty loaded policy and then load additional
 parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we
 ask libselinux to load /foo/bar, and so on? Most likely 90% of the
 sockets will be in the same dir anyway (/var/run), so after the first
 socket everything we need should be loaded most of the time. However,
 since sockets can be configured dynamically to any place we might need
 to load policy for other areas, too. Hence if we could load hte policy
 bit by bit we should get relatively nice behaviour and only load a
 minimal subset of the policy into memory.

 Lennart

 I think the library functions are there to do this, but you would have
 to do the management of the paths.  libselinux I believe does not have
 the capability to add a path after the initial load but you could have a
 link list of paths connected to blobs of regexes.

 So, instead of loading one single policy blob we would basically load a
 number of independent policy blobs, but always only parts of the real
 thing? I guess that is quite doable, though I do wonder how the prefix
 finding algorithm should best look like...

 Lennart

 Yes and you have a speed versus size thing.   Do you want to compile
 /var once or /var/lock and /var/run or much worse /var/run/app1 and
 /var/run/app2 ...

 I would not go above two directories.

 If you really want size versus speed you could free the blobs once you
 got to a steady state, if you can figure out you are in a steady state.
  And then reload them if you need too.
 
 Hmm, so, I wonder how far we could get by just hardcoding that we preload
 /var/run, /var/lock and /dev (the latter for /dev/initctl). That should
 cover 100% of the sockets/fifos of a usual install. And if that doesn't
 suffice we load the real deal on-demand.
 
 So, loading parts of the policy apparently takes up less memory. How
 exactly is the speed of loading the policy influenced by this? I.e. is
 loading a part of the policy as CPU/IO intensive as loading the full thing?
 Or even more CPU intensive due to a lot of compares? Or cheaper?
 
 Lennart
 
I think it is just setup time.   If all you are labeling in /dev is
initctl, I would say just load that,  /dev has lots of labels, that udev
has to handle.  The library is call regcomp on each line.

grep ^/dev /etc/selinux/targeted/contexts/files/file_contexts | wc -l
277

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nQZEACgkQrlYvE4MpobMxSwCfTczLRvKuVly/APVLEhW3cp4P
WRcAoLuzneawNoV1/JlWhSmMuvCsxLkq
=cJj7
-END PGP SIGNATURE-
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel