Patches needed by systemd 255~rc2-1 in Debian/unstable that weren't needed in 254.5-1. #734
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…eeded in 254.5-1. Now the program that launches daemons from systemd is running as initrc_t so that needs some access that previously only init_t had. It needs term_watch_reads_unallocated_ttys() to check the terminal devices before launching getty. In the init_daemon_domain() and init_system_domain() interfaces initrc_t needs a nnp_transition due to more restrictive policies in systemd to use nnp more. Also those interfaces need to allow the daemon to talk to initrc_t via a unix stream socket as that is apparently the stdout or something. In the auth_use_pam_systemd() macro systemd_logind_t needs to access file descriptors from the PAM using program in question due to a change in pam-systemd.so. Not having this access results in the PAM code waiting for a 20 second timeout before proceeding with the login. xdm_t needs this auth_use_pam_systemd() interface, it apparently worked before because even though it uses pam-systemd the operations that the older version performed were permitted by other rules. Finally added systemd_dbus_chat_hostnamed(xdm_t) which is needed by a previous update to systemd (before 254.5-1). Signed-off-by: Russell Coker <[email protected]>
Signed-off-by: Russell Coker <[email protected]>
…s this Signed-off-by: Russell Coker <[email protected]>
Signed-off-by: Russell Coker <[email protected]>
…ogin process exits without relabelling the device Signed-off-by: Russell Coker <[email protected]>
pebenito
requested changes
Nov 28, 2023
| @@ -1155,6 +1156,8 @@ ifdef(`init_systemd',` | |||
| # for logsave in strict configuration | |||
| fstools_write_log(initrc_t) | |||
|
|
|||
| fs_mounton_memory_pressure(initrc_t) | |||
There was a problem hiding this comment.
What process is doing this? It seems odd that it would be an initrc_t process instead of init_t.
| @@ -356,6 +356,12 @@ interface(`init_daemon_domain',` | |||
|
|
|||
| domtrans_pattern(initrc_t, $2, $1) | |||
|
|
|||
| # so new systemd and other mechanisms can set NNP and still execute a domain transition | |||
| allow initrc_t $1:process2 nnp_transition; | |||
There was a problem hiding this comment.
I think we want nosuid_transition too.
| @@ -551,6 +557,12 @@ interface(`init_system_domain',` | |||
|
|
|||
| domtrans_pattern(initrc_t, $2, $1) | |||
|
|
|||
| # so systemd and other mechanisms can set NNP and still execute a domain transition | |||
| allow initrc_t $1:process2 nnp_transition; | |||
|
|
||
| # for new systemd to redirect output to socket | ||
| allow $1 initrc_t:unix_stream_socket rw_socket_perms; | ||
|
|
There was a problem hiding this comment.
Please move the above additions to the below init_systemd block.
| @@ -722,6 +722,7 @@ allow initrc_t self:fifo_file rw_fifo_file_perms; | |||
|
|
|||
| allow initrc_t initrc_devpts_t:chr_file rw_term_perms; | |||
| term_create_pty(initrc_t, initrc_devpts_t) | |||
| term_watch_reads_unallocated_ttys(initrc_t) | |||
There was a problem hiding this comment.
This should go in the init_systemd block.
| @@ -1497,6 +1500,10 @@ optional_policy(` | |||
| rpm_delete_db(initrc_t) | |||
| ') | |||
|
|
|||
| optional_policy(` | |||
| userdom_watch_user_ttys(initrc_t) | |||
There was a problem hiding this comment.
Seems like this should go in the init_systemd block.
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`systemd_logind_use_fds',` |
|
I'd appreciate additional notes either in the commit messages or above in the PR description about what issues/new features these patches address. As demonstrated in #736, these details are important. |
|
It looks like the |
|
This PR has not had any recent activity. It will be closed in 7 days if it makes no further progress. |
|
Closing stale PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.