Re: [systemd-devel] how to debug failures when trying to lock down services

2017-11-30 Thread Lennart Poettering
On Do, 30.11.17 10:35, Mantas Mikulėnas (graw...@gmail.com) wrote: > Then I'm guessing ProtectSystem=strict overrides ReadWritePaths and makes > /var/log read-only... Hmm, it does? It really shouldn't. I thought the issues were mostly around InaccessiblePaths= not permitting exclusions, not

Re: [systemd-devel] how to debug failures when trying to lock down services

2017-11-30 Thread Michael Biebl
2017-11-30 16:07 GMT+01:00 Michael Biebl : > 2017-11-30 9:35 GMT+01:00 Mantas Mikulėnas : >> On Thu, Nov 30, 2017 at 10:31 AM, Michael Biebl wrote: >>> >>> 2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas : >>> > On Thu, Nov 30,

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-11-30 Thread Pekka Paalanen
On Thu, 30 Nov 2017 13:29:22 +0100 Lennart Poettering wrote: > On Do, 30.11.17 12:09, Pekka Paalanen (ppaala...@gmail.com) wrote: > > > > Hmm, what is this about? > > > > > > This is racy, as the session ID is not really reliably predictable, > > > and is synthesized in

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-11-30 Thread Lennart Poettering
On Do, 30.11.17 11:16, Martyn Welch (martyn.we...@collabora.co.uk) wrote: > Debugging suggested that XDG_RUNTIME_DIR was not being created when it > failed. There are 2 processes setting a PAMName, the failing Weston > service and the user@.service (IIRC this gets called as part of user > session

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-11-30 Thread Lennart Poettering
On Do, 30.11.17 12:09, Pekka Paalanen (ppaala...@gmail.com) wrote: > > Hmm, what is this about? > > > > This is racy, as the session ID is not really reliably predictable, > > and is synthesized in different contexts in different ways, for > > example depnding on whether audit is enabled in the

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-11-30 Thread Mantas Mikulėnas
On Thu, Nov 30, 2017, 12:10 Pekka Paalanen wrote: > > > +# Set up a full user session for the user, required by Weston. > > > +PAMName=login > > > > Piggy-backing on "login" is a bad idea. "login" is a text tool, and > > thus the PAM rules for it usually pull in some TTY

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-11-30 Thread Martyn Welch
On Thu, 2017-11-30 at 12:09 +0200, Pekka Paalanen wrote: > On Wed, 29 Nov 2017 19:05:07 +0100 > Lennart Poettering wrote: > > > On Di, 28.11.17 12:14, Pekka Paalanen (ppaala...@gmail.com) wrote: > > > > > + > > > +[Unit] > > > +Description=Weston, a Wayland compositor,

Re: [systemd-devel] [PATCH weston] doc/systemd: system service example

2017-11-30 Thread Pekka Paalanen
On Wed, 29 Nov 2017 19:05:07 +0100 Lennart Poettering wrote: > On Di, 28.11.17 12:14, Pekka Paalanen (ppaala...@gmail.com) wrote: > > > + > > +[Unit] > > +Description=Weston, a Wayland compositor, as a system service > > +Documentation=man:weston(1) man:weston.ini(5) > >

Re: [systemd-devel] how to debug failures when trying to lock down services

2017-11-30 Thread Mantas Mikulėnas
On Thu, Nov 30, 2017 at 10:31 AM, Michael Biebl wrote: > 2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas : > > On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl wrote: > >> > >> Hi, > >> > >> today I tried to lock down the rsyslog.service that I

Re: [systemd-devel] how to debug failures when trying to lock down services

2017-11-30 Thread Michael Biebl
2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas : > On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl wrote: >> >> Hi, >> >> today I tried to lock down the rsyslog.service that I have on my system. >> >> For that I first created an override.conf that contained >> >>

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-11-30 Thread Jan Beulich
>>> On 30.11.17 at 09:23, wrote: > On Wed, Nov 29, Jan Beulich wrote: > >> Ah, I see. But then still I don't see why at least on half way >> recent Xen /sys/hypervisor/properties/features wouldn't have >> the information you're after (and even more precise, because >> down the

Re: [systemd-devel] [Xen-devel] [PATCH v1] core: mount xenfs, ignore proc-xen.mount (#6442, #6662)

2017-11-30 Thread Olaf Hering
On Wed, Nov 29, Jan Beulich wrote: > Ah, I see. But then still I don't see why at least on half way > recent Xen /sys/hypervisor/properties/features wouldn't have > the information you're after (and even more precise, because > down the road control domain and hardware domain may be > separate