This finishes up a lot of the work originally started on systemd --user
support including interacting with user units, communicating with the
user's systemd instance, and reading the system journal.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:
avc: denied { mounton } for pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1
Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.
Fixes:
avc: denied { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.
This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.
Relevant denials are silenced in case the policy is disabled.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
While systemd recommends to use native binaries as generators due to
performance reasons, there is nothing that really prevents from them
being shell scripts.
This is Gentoo-specific as the affected generator is provided by
the distribution, not by upstream systemd.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
This patch is for systemd-machined. Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?
Signed-off-by: Russell Coker <russell@coker.com.au>
This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev. Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.
Fixes#221
Derived from Laurent Bigonville's work in #230
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Almost all calls to dbus_ interfaces were already optional, this makes
the remaining one optional_policy so that the modules can be installed /
upgraded easier.
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.
see https://github.com/systemd/systemd/pull/16821
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Chris PeBenito
Kenton Groombridge
Krzysztof Nowicki
Russell Coker
Daniel Burgener
Chris PeBenito
(GalaxyMaster)
Jason Zaman
Antoine Tenart
Deepak Rawat
Christian Göttsche
bauen1