On Thu, 15.05.14 18:54, Miroslav Grepl (mgr...@redhat.com) wrote: > >> u->runtime_path = p; > >> return 0; > >>@@ -423,7 +424,9 @@ int user_start(User *u) { > >> log_debug("New user %s logged in.", u->name); > >> /* Make XDG_RUNTIME_DIR */ > >>+ label_init("/var/run/user"); > > >This looks incorrect. label_init() will be a NOP the second it is > >called, and we already call it in logind, with the /etc prefix, hence > >we'll only load an incomplete database for the other invocation... > Well I thought it too but it was not working without this > initialization.
Sure, some kind of initialization is needed. However, the database is loaded statically into the process and once only, then you end up with an incomplete database where the bits the other place where we need labelling is missing.. > >> r = user_mkdir_runtime_path(u); > >>+ label_finish(); > >> if (r < 0) > >> return r; > >Why is this necessary, even? I though selinux in the kernel was nowadays > >able to take the file name to create into account when applying a label, > >so why do we need userspace magic for this? > See > > https://bugzilla.redhat.com/show_bug.cgi?id=1092059#c0 WHich doesn't explain why the kernel cannot derive this rule on its own. I though the kernel could take the file/dir name to create into account nowadays when it is created to find its initial label. But if the kernel can do that, why do we need to involve userspace still? I'd really prefer if we could keep userspace-controlled labelling at a minimum. If you ask me we kinda already do too much of it... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel