systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
This is probably RHEL only - seeing directories in /run/user/$(UID) created as
tmpfs_t rather than user_runtime_t. This appears fixed in newer systemd-logind.
It appears to have been fixed in systemd git repo by Nicolas Iooss 02-Feb-2016
hash 4b51966cf6c06250036e428608da92f8640beb96 probably in systemd-v229
I don't see this merged into RHEL 7.x as of now but as some point it hopefully
will be merged in and this can go away.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Label some shell scripts from bridge-utils correctly. Maybe have ifdef
distro_debian around this, not sure what upstream is doing.
systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.
Another dontaudit for mon_local_test_t to stop it spamming the logs.
Support a .d directory for dnsmasq config files.
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
filesystems.
Allows systemd_backlight_t to search /var/lib.
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.
It has a number of changes needed by systemd_logind_t to set permissions for
local logins.
It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.
It has some changes for udev_t for systemd-udevd.
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
Russell Coker
Chris PeBenito
Laurent Bigonville
Dave Sugar
James Carter
Krzysztof Nowicki
cgzones