On Tue, 2015-07-21 at 03:27 +, Zbigniew Jędrzejewski-Szmek wrote:
fedup-system-upgrade.service uses an additional flag file which is
checked with ConditionPathExists so it will not run if 'dnf fedup
reboot'
did not create the flag, even if we go into system-upgrade.target.
If you've got SELinux policy loaded, label_hnd is your labeling handle.
When systemd is shutting down, we free that handle via mac_selinux_finish().
But: switch_root() calls mkdir_p_label(), which tries to look up a label
using that freed handle, and so we get a bunch of garbage and eventually
On Fri, 2014-04-25 at 18:26 -0400, Will Woods wrote:
Currently, systemd refuses to load SELinux policy more than once.
Normal systems don't care, because they either:
a) have initramfs without policy, then load policy after switch-root, or
b) load policy in initramfs, and never switch-root
Hey all,
Currently, systemd refuses to load SELinux policy more than once.
Normal systems don't care, because they either:
a) have initramfs without policy, then load policy after switch-root, or
b) load policy in initramfs, and never switch-root out.
But if you *do* switch-root more than once
7-space indentation is just too weird to leave alone.
Make it 8 spaces, as per CODING_STYLE. No other changes.
---
src/core/ima-setup.c | 110 +-
src/core/selinux-setup.c | 152 +++
2 files changed, 131 insertions(+),
When you switch-root into a new root that has SELinux policy, you're
supposed to to run selinux_init_load_policy() to set up SELinux and load
policy. Normally this gets handled by selinux_setup().
But if SELinux was already initialized, selinux_setup() skips loading
policy and returns 0. So if
On Thu, 2014-02-20 at 18:17 +, Colin Walters wrote:
I think both of these (particularly the second) are worse than my
patch - we don't (to my knowledge) support putting policy in the
initramfs now with Fedora or Red Hat Enterprise Linux, so attempting
to find it there by default on every
If you enter unit_add_exec_dependencies with m-where = NULL, you'll
very likely end up aborting somewhere under socket_needs_mount.
(When systemd goes to check to see if the journald socket requires your
mount, it'll do path_startswith(path, m-where)... *kaboom*)
This patch should ensure that: