Re: [systemd-devel] systemd-run and -p ProtectSystem=ful

Mon, 25 Jul 2016 11:03:09 -0700 


Am 25.07.2016 um 19:41 schrieb Lennart Poettering:

On Mon, 25.07.16 19:26, Reindl Harald (h.rei...@thelounge.net) wrote:


just upgraded to Fedora 24

/usr/bin/systemd-run -t --service-type=oneshot --quiet --nice=19
--unit=spamfilter-fetch-samples --description=spamfilter-fetch-samples -p
ProtectSystem=full /usr/bin/php /scripts/test.php

don't log anything useful or return anything, calling a shellscript which is
using "systemd-run" don't return to the shell while journalctl pretends it
got executed and has finished

removing "-p ProtectSystem=full" as in F23 works

Jul 25 19:23:51 mail-gw.thelounge.net systemd[1]: Starting
spamfilter-fetch-samples...
Jul 25 19:23:51 mail-gw.thelounge.net systemd[1]: Started
spamfilter-fetch-samples.
Jul 25 19:24:21 mail-gw.thelounge.net systemd[1]: Starting
spamfilter-fetch-samples...
Jul 25 19:24:21 mail-gw.thelounge.net systemd[1]: Started
spamfilter-fetch-samples.


This works fine here:

# /usr/bin/systemd-run -t /bin/echo hallo
Running as unit: run-r2d66d66cfd3f4386bd80ecdc057846ce.service
Press ^] three times within 1s to disconnect TTY.
hallo

# sudo /usr/bin/systemd-run -t -p ProtectSystem=full /bin/echo hallo
Running as unit: run-r0a6d313f96684ec598ee84fb483f2f48.service
Press ^] three times within 1s to disconnect TTY.
hallo



all that simple versions are working here too, but not if it comes to 
complex scripts running as root and starting other script using "su"



the reason is simply that first permssions and so on a ensured and than 
the tasks itself are fird with difefrent, low privileged users



the same still for calling "systemd-run" from a cronjob where i would 
expect the typical cronmails if there is some output with or without 
"-p ProtectSystem=full" while without it least works in a ssh session



Maybe SELinux is borked for this? Does it work if you turn off SELinux
or put it in permissive mode?


no SELinux for me




Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel






















					Reply via email to