> -----Original Message-----
> From: Łukasz Stelmach [mailto:[email protected]]
> Sent: Monday, December 23, 2013 6:07 AM
> To: Schaufler, Casey
> Cc: [email protected]
> Subject: Re: [Dev] smack setup incomplete, systemd-journal fails
>
> It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote:
> >> -----Original Message-----
> >> From: [email protected]
> >> [mailto:[email protected]] On Behalf Of Lukasz Stelmach
> >> Sent: Wednesday, December 18, 2013 9:52 AM
> >> To: [email protected]
> >> Subject: [Dev] smack setup incomplete, systemd-journal fails
> >>
> >> Hi,
> >>
> >> I've got quite a recent RD-PQ image: tizen_20131217.8. There is a
> >> problem with systemd-journald failing to start because
> >
> > Where did you get this image? What are you running it on?
> >
> >>
> >> + "Failed to open /dev/kmsg, ignoring: Permission denied"
> >
> > This looks like you don't have the systemd rules file
> > 55-udev-default-smack-rules. This might indicate that the images do
> > not have a current version of systemd. A temporary workaround is:
> >
> > chsmack -a '*' /dev/kmsg
>
> Not that simple :-D The problem is in smack_syslog() from smack_lsm.c.
Well, I won't say that's *the* problem, but certainly is *a* problem.
> With the following patch applied:
>
> --8<---------------cut here---------------start------------->8---
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index
> 3f01cf5..952e8cd 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -226,18 +226,20 @@ static int smack_ptrace_traceme(struct task_struct
> *ptp) static int smack_syslog(int typefrom_file) {
> int rc = 0;
> + struct smk_audit_info ad;
> struct smack_known *skp = smk_of_current();
>
> if (smack_privileged(CAP_MAC_OVERRIDE))
> return 0;
>
> - if (skp != &smack_known_floor)
> + if (skp != &smack_known_floor)
> rc = -EACCES;
This check dates back to the first Smack patches and is based on assumptions
that have proven incorrect.
>
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE);
> + smack_log(skp->smk_known, "", 0, rc, &ad);
> return rc;
> }
>
> -
> /*
> * Superblock Hooks.
> */
> --8<---------------cut here---------------end--------------->8---
>
> and console messages:
>
> --8<---------------cut here---------------start------------->8---
> [ 5.542679] type=1400 audit(946697015.045:2): lsm=SMACK
> fn=smack_syslog action=denied subject="System" object="" requested=
> pid=1259 comm="systemd-journal"
> Failed to open /dev/kmsg, ignoring: Permission denied [...] root:~> systemctl
> status systemd-journald.service systemd-journald.service - Journal Service
> Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static)
> Active: active (running) since Fri 1999-12-31 19:23:34 PST; 10min ago
> Docs: man:systemd-journald.service(8)
> man:journald.conf(5)
> Main PID: 1259 (systemd-journal)
> Status: "Processing requests..."
> CGroup: /system.slice/systemd-journald.service
> └─1259 /usr/lib/systemd/systemd-journald
>
> [...]
> --8<---------------cut here---------------end--------------->8---
>
>
> The cause is more than obvious. However, the solution (at least to me) is not.
A small matter of programming. :-)
Create a global smack_syslog_label.
Initialize smack_syslog_label to the star ("*") label, or the floor ("_") label
if you're a stickler for backward compatibility.
Create a smackfs interface "syslog" to get and set the value of
smack_syslog_label.
I will work on this today.
> With systemd-journald running with label "System" and not "_" and without
> CAP_MAC_OVERRIDE it gets naked in smack_syslog. We need some kind of a
> solution here.
>
> --
> Łukasz Stelmach
> Samsung R&D Institute Poland
> Samsung Electronics
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
