On Thu, 15.05.14 18:54, Miroslav Grepl (mgr...@redhat.com) wrote:
> >> u->runtime_path = p;
> >> return 0;
> >>@@ -423,7 +424,9 @@ int user_start(User *u) {
> >> log_debug("New user %s logged in.", u->name);
> >> /* Make XDG_RUNTIME_DIR */
> >>+ label_init("/var/run/user");
>
> >This looks incorrect. label_init() will be a NOP the second it is
> >called, and we already call it in logind, with the /etc prefix, hence
> >we'll only load an incomplete database for the other invocation...
> Well I thought it too but it was not working without this
> initialization.
Sure, some kind of initialization is needed. However, the database is
loaded statically into the process and once only, then you end up with
an incomplete database where the bits the other place where we need
labelling is missing..
> >> r = user_mkdir_runtime_path(u);
> >>+ label_finish();
> >> if (r < 0)
> >> return r;
> >Why is this necessary, even? I though selinux in the kernel was nowadays
> >able to take the file name to create into account when applying a label,
> >so why do we need userspace magic for this?
> See
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1092059#c0
WHich doesn't explain why the kernel cannot derive this rule on its
own. I though the kernel could take the file/dir name to create into
account nowadays when it is created to find its initial label. But if
the kernel can do that, why do we need to involve userspace still?
I'd really prefer if we could keep userspace-controlled labelling at a
minimum. If you ask me we kinda already do too much of it...
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
