On Wed, Feb 19, 2014 at 04:17:15PM +0100, Łukasz Stelmach wrote: > It was <2014-02-19 śro 16:05>, when Zbigniew Jędrzejewski-Szmek wrote: > > On Wed, Feb 19, 2014 at 03:44:32PM +0100, Łukasz Stelmach wrote: > >> How to have support for more than one security fw reasonably > >> compiled in? (I think this is the moment to create the pattern). > > Why not? It would be rather constraining for a distribution which wants > > to support more than one. systemd should just perform the steps necessary > > for all compiled frameworks compiled in, silently ignoring failures coming > > from missing frameworks. > > Hmm... silent ignoring makes things hard to debug. Verbose failure is that what is done currently. (In general, I'm sure that there are various places where stuff could be improved). When systemd is started, it'll try to initialize SELinux, AppArmor, etc. If there's no configuration for a specific LSM, it is silently ignored. If there is configuration, but it is cannot be loaded, errors are printed. Likewise for unit files: if specific directives cannot be executed, warnings are printed. Depending on the specific directive, this can result in continued execution or in an error. If support for a specific security framework is not compiled into systemd, warnings are printed.
> The most robust way for systemd is: > 1) to check in runtime which frameworks are supported, We have use_selinux(), use_apparmor(), use_smack(). > 2) to attempt an action for every one of them, > 3) to return an error if ANY of the actions fail. In general yes, but different frameworks need hooks in different places. So we generally insert a call to a function specific to a framework, and inside this function, a use_*() test is performed, and suitably, either nothing is done or the setup is performed. If an error happens, it is up to this function to decide whether silent failure, warning, or an error are warranted. Zbyszek _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
