It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote: >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Lukasz Stelmach >> Sent: Wednesday, December 18, 2013 9:52 AM >> To: [email protected] >> Subject: [Dev] smack setup incomplete, systemd-journal fails >> >> Hi, >> >> I've got quite a recent RD-PQ image: tizen_20131217.8. There is a problem >> with systemd-journald failing to start because > > Where did you get this image? What are you running it on? > >> >> + "Failed to open /dev/kmsg, ignoring: Permission denied" > > This looks like you don't have the systemd rules file > 55-udev-default-smack-rules. This might indicate that the images do > not have a current version of systemd. A temporary workaround is: > > chsmack -a '*' /dev/kmsg
Not that simple :-D The problem is in smack_syslog() from smack_lsm.c.
With the following patch applied:
--8<---------------cut here---------------start------------->8---
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 3f01cf5..952e8cd 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -226,18 +226,20 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
static int smack_syslog(int typefrom_file)
{
int rc = 0;
+ struct smk_audit_info ad;
struct smack_known *skp = smk_of_current();
if (smack_privileged(CAP_MAC_OVERRIDE))
return 0;
- if (skp != &smack_known_floor)
+ if (skp != &smack_known_floor)
rc = -EACCES;
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE);
+ smack_log(skp->smk_known, "", 0, rc, &ad);
return rc;
}
-
/*
* Superblock Hooks.
*/
--8<---------------cut here---------------end--------------->8---
and console messages:
--8<---------------cut here---------------start------------->8---
[ 5.542679] type=1400 audit(946697015.045:2): lsm=SMACK fn=smack_syslog
action=denied subject="System" object="" requested= pid=1259
comm="systemd-journal"
Failed to open /dev/kmsg, ignoring: Permission denied
[...]
root:~> systemctl status systemd-journald.service
systemd-journald.service - Journal Service
Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static)
Active: active (running) since Fri 1999-12-31 19:23:34 PST; 10min ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Main PID: 1259 (systemd-journal)
Status: "Processing requests..."
CGroup: /system.slice/systemd-journald.service
└─1259 /usr/lib/systemd/systemd-journald
[...]
--8<---------------cut here---------------end--------------->8---
The cause is more than obvious. However, the solution (at least to me)
is not.
With systemd-journald running with label "System" and not "_" and
without CAP_MAC_OVERRIDE it gets naked in smack_syslog. We need some
kind of a solution here.
--
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
pgp9q12XobIgJ.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
