> -----Original Message----- > From: Patrick Ohly [mailto:[email protected]] > Sent: Tuesday, February 03, 2015 3:09 PM > To: Schaufler, Casey > Cc: Tizen Dev; Xavier Roche; ronan > Subject: smack + /sys/fs/cgroup/systemd > > Hello Casey, > > do you know why /sys/fs/cgroup/systemd has access="*" on Tizen?
That is cgroupfs. It's not a real filesystem, and as it is used as a system control data structure it needs to be Smack writeable by everyone. Access is controlled by UID. > Where is > that access set, and is it perhaps inherited by all files and > directories created underneath it? Yes. So long as you remain on the cgroupfs, all files will be labeled "*". > From a running Tizen: > > # mount | grep /sys/fs/cgroup/systemd > cgroup on /sys/fs/cgroup/systemd type cgroup > (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/sy > stemd-cgroups-agent,name=systemd) > # chsmack /sys/fs/cgroup/systemd > /sys/fs/cgroup/systemd access="*" > # chsmack /sys/fs/cgroup/systemd/user.slice/user-5000.slice/cgroup.procs > /sys/fs/cgroup/systemd/user.slice/user-5000.slice/cgroup.procs access="*" > > The reason for asking is a failure on "Tizen on Yocto" where the user > session only comes up with security=none. > > I traced it down > to /sys/fs/cgroup/systemd/user.slice/user-5000.slice/cgroup.procs having > the "_" access label - see > https://bugs.tizen.org/jira/browse/TC- > 1964?focusedCommentId=51744&page=com.atlassian.jira.plugin.system.issu > etabpanels:comment-tabpanel#comment-51744 Does the kernel have 36ea735b522d09826ae0dac0e540f294436c52f3 "Smack: Label cgroup files for systemd" applied? > Because of that, "systemd --user" fails with "Failed to create root > cgroup hierarchy: Permission denied". > > Ronan, do you remember doing anything special for this in previous > versions of "Tizen on Yocto"? > > -- > Best Regards, Patrick Ohly > > The content of this message is my personal opinion only and although > I am an employee of Intel, the statements I make here in no way > represent Intel's position on the issue, nor am I authorized to speak > on behalf of Intel on this matter. > > _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
