On 2014-12-10 22:37, Lennart Poettering wrote: > On Tue, 09.12.14 18:26, Lennart Poettering (lenn...@poettering.net) wrote: > > Przemyslaw, > >>> +++ b/units/u...@.service.m4.in >>> @@ -0,0 +1,23 @@ >>> +# This file is part of systemd. >>> +# >>> +# systemd is free software; you can redistribute it and/or modify it >>> +# under the terms of the GNU Lesser General Public License as published by >>> +# the Free Software Foundation; either version 2.1 of the License, or >>> +# (at your option) any later version. >>> + >>> +[Unit] >>> +Description=User Manager for UID %i >>> +After=systemd-user-sessions.service >>> + >>> +[Service] >>> +User=%i >>> +PAMName=systemd-user >>> +Type=notify >>> +ExecStart=-@rootlibexecdir@/systemd --user >>> +Slice=user-%i.slice >>> +KillMode=mixed >>> +Delegate=yes >>> +m4_ifdef(`HAVE_SMACK', >>> +Capabilities=cap_mac_admin=i >>> +SecureBits=keep-caps >>> +) > > I have reverted the last bit above again, since it broke bootups in > nspawn machines. I figure the CAP_MAC_ADMIN capability is missing from > the bounding set in an nspawn, and that breaks the caps logic here. > > We should find another solution for this. I wanted to get 218 out of > the door, hence I reverted this bit for now, but we really should fine > a longer term solution for this. > > I build systemd with SMACK on, but turned off in the kernel. > > Any suggestions what we can do here?
ConditionSecurity=smack instead of HAVE_SMACK would work, but it would also require separate unit for non-smack case, which is crap. No easy solutions come to my mind right now, unfortunately... Cheers, -- Karol Lewandowski, Samsung R&D Institute Poland _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel