[systemd-devel] [PATCH] Move apparmor code before the namespace setup
From: Michael Scherer Since apparmor need to access /proc to communicate with the kernel, any unit setting / as readonly will be unable to also use the AppArmorProfile setting, as found on debian bug 760526. --- src/core/execute.c | 19 ++- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index b165b33..1f2da74 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1501,6 +1501,16 @@ static int exec_child(ExecCommand *command, } #endif +#ifdef HAVE_APPARMOR +if (params->apply_permissions && context->apparmor_profile && use_apparmor()) { +err = aa_change_onexec(context->apparmor_profile); +if (err < 0 && !context->apparmor_profile_ignore) { +*error = EXIT_APPARMOR_PROFILE; +return -errno; +} +} +#endif + if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) { err = setup_netns(runtime->netns_storage_socket); if (err < 0) { @@ -1693,15 +1703,6 @@ static int exec_child(ExecCommand *command, } #endif -#ifdef HAVE_APPARMOR -if (context->apparmor_profile && use_apparmor()) { -err = aa_change_onexec(context->apparmor_profile); -if (err < 0 && !context->apparmor_profile_ignore) { -*error = EXIT_APPARMOR_PROFILE; -return -errno; -} -} -#endif } err = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env); -- 1.8.3.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] Report aa_change_onexec error code
From: Michael Scherer Since aa_change_onexec return the error code in errno, and return -1, the current code do not give any useful information when something fail. This make apparmor easier to debug, as seen on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760526 --- src/core/execute.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/execute.c b/src/core/execute.c index 8b9bb27..b165b33 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1698,7 +1698,7 @@ static int exec_child(ExecCommand *command, err = aa_change_onexec(context->apparmor_profile); if (err < 0 && !context->apparmor_profile_ignore) { *error = EXIT_APPARMOR_PROFILE; -return err; +return -errno; } } #endif -- 1.8.3.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] Add AppArmor profile switching, v3
3rd version of the patch, taking in account the feedback from Lennart. See http://lists.freedesktop.org/archives/systemd-devel/2014-January/015975.html and http://lists.freedesktop.org/archives/systemd-devel/2014-February/016916.html for details ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] Add AppArmor profile switching
From: Michael Scherer This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature. --- Makefile.am | 2 ++ configure.ac | 13 ++ man/systemd.exec.xml | 13 ++ src/core/build.h | 8 +- src/core/dbus-execute.c | 19 ++ src/core/execute.c| 23 src/core/execute.h| 3 +++ src/core/load-fragment-gperf.gperf.m4 | 3 +++ src/core/load-fragment.c | 49 +++ src/core/load-fragment.h | 1 + src/shared/exit-status.c | 3 +++ src/shared/exit-status.h | 3 ++- 12 files changed, 138 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index c71367d..4ac2122 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1016,6 +1016,7 @@ libsystemd_core_la_CFLAGS = \ $(AUDIT_CFLAGS) \ $(CAP_CFLAGS) \ $(KMOD_CFLAGS) \ + $(APPARMOR_CFLAGS) \ $(SECCOMP_CFLAGS) \ -pthread @@ -1031,6 +1032,7 @@ libsystemd_core_la_LIBADD = \ $(AUDIT_LIBS) \ $(CAP_LIBS) \ $(KMOD_LIBS) \ + $(APPARMOR_CFLAGS) \ $(SECCOMP_LIBS) if HAVE_SECCOMP diff --git a/configure.ac b/configure.ac index 05ee098..2521741 100644 --- a/configure.ac +++ b/configure.ac @@ -385,6 +385,18 @@ if test "x$enable_selinux" != "xno"; then fi AM_CONDITIONAL(HAVE_SELINUX, [test "$have_selinux" = "yes"]) +have_apparmor=no +AC_ARG_ENABLE(apparmor, AS_HELP_STRING([--disable-apparmor], [Disable optional AppArmor support])) +if test "x$enable_apparmor" != "xno"; then +PKG_CHECK_MODULES([APPARMOR], [libapparmor], +[AC_DEFINE(HAVE_APPARMOR, 1, [Define if AppArmor is available]) have_apparmor=yes], have_apparmor=no) +if test "x$have_apparmor" = xno -a "x$enable_apparmor" = xyes; then +AC_MSG_ERROR([*** AppArmor support requested but libraries not found]) +fi +fi +AM_CONDITIONAL(HAVE_APPARMOR, [test "$have_apparmor" = "yes"]) + + AC_ARG_WITH(debug-shell, AS_HELP_STRING([--with-debug-shell=PATH], [Path to debug shell binary]), @@ -1110,6 +1122,7 @@ AC_MSG_RESULT([ PAM: ${have_pam} AUDIT: ${have_audit} IMA: ${have_ima} +AppArmor:${have_apparmor} SELinux: ${have_selinux} SECCOMP: ${have_seccomp} SMACK: ${have_smack} diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 7dbe05d..1983993 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -968,6 +968,19 @@ + AppArmorProfile= + +Take a profile name as argument. +The process executed by the unit will switch to +this profile when started. Profiles must already +be loaded in the kernel, or the unit will fail. +This result in a non operation if AppArmor is not +enabled. If prefixed by -, all errors +will be ignored. + + + + IgnoreSIGPIPE= Takes a boolean diff --git a/src/core/build.h b/src/core/build.h index c8117ed..3d7cd3e 100644 --- a/src/core/build.h +++ b/src/core/build.h @@ -45,6 +45,12 @@ #define _SELINUX_FEATURE_ "-SELINUX" #endif +#ifdef HAVE_APPARMOR +#define _APPARMOR_FEATURE_ "+APPARMOR" +#else +#define _APPARMOR_FEATURE_ "-APPARMOR" +#endif + #ifdef HAVE_IMA #define _IMA_FEATURE_ "+IMA" #else @@ -87,4 +93,4 @@ #define _SECCOMP_FEATURE_ "-SECCOMP" #endif -#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ +#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_ diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 41dbbab..935c62b 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -482,6 +482,24 @@ static int property_get_selinux_context( return sd_bus_message_append(reply, "(bs)", c->selinux_context_igno
[systemd-devel] [PATCH] FIx compilation of nspawn when seccomp is not enabled
From: Michael Scherer --- Makefile.am | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 08b94d7..e4ff7de 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1868,9 +1868,13 @@ systemd_nspawn_LDADD = \ libsystemd-capability.la \ libsystemd-internal.la \ libudev-internal.la \ - libsystemd-shared.la \ + libsystemd-shared.la + +if HAVE_SECCOMP +systemd_nspawn_LDADD += \ libsystemd-seccomp.la \ $(SECCOMP_LIBS) +endif # -- systemd_run_SOURCES = \ -- 1.8.5.3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] Do not warn on declaration-after-statement
From: Michael Scherer There is currently around 20 instances of the warning shown when compiling systemd on Fedora 20, and no one seems to correct them. As this is a valid C code for C99 and gcc support C99 since 3.0 ( ie more than 10 years ), it may not be worth showing this warning. --- configure.ac | 1 - 1 file changed, 1 deletion(-) diff --git a/configure.ac b/configure.ac index 939ba6d..3a21a77 100644 --- a/configure.ac +++ b/configure.ac @@ -127,7 +127,6 @@ CC_CHECK_FLAGS_APPEND([with_cflags], [CFLAGS], [\ -Wold-style-definition \ -Wpointer-arith \ -Winit-self \ --Wdeclaration-after-statement \ -Wfloat-equal \ -Wsuggest-attribute=noreturn \ -Wmissing-prototypes \ -- 1.8.4.2 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] make socket_instantiate_service use cleanup gcc attribute
From: Michael Scherer --- src/core/socket.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/core/socket.c b/src/core/socket.c index 88599ca..1f2a2c0 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -179,7 +179,8 @@ static int socket_arm_timer(Socket *s) { } static int socket_instantiate_service(Socket *s) { -char *prefix, *name; +_cleanup_free_ char *prefix = NULL; +_cleanup_free_ char *name = NULL; int r; Unit *u; @@ -199,13 +200,11 @@ static int socket_instantiate_service(Socket *s) { return -ENOMEM; r = asprintf(&name, "%s@%u.service", prefix, s->n_accepted); -free(prefix); if (r < 0) return -ENOMEM; r = manager_load_unit(UNIT(s)->manager, name, NULL, NULL, &u); -free(name); if (r < 0) return r; -- 1.8.4.2 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] Fix format string mismatch introduced in ab9001a1
From: Michael Scherer src/libsystemd-bus/sd-bus.c: In function 'sd_bus_open_user': src/libsystemd-bus/sd-bus.c:1104:25: warning: format '%s' expects argument of type 'char *', but argument 3 has type 'long unsigned int' [-Wformat=] asprintf(&b->address, UNIX_USER_BUS_FMT, (unsigned long) getuid()); --- src/libsystemd-bus/sd-bus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsystemd-bus/sd-bus.c b/src/libsystemd-bus/sd-bus.c index 61dc0e5..a4e4999 100644 --- a/src/libsystemd-bus/sd-bus.c +++ b/src/libsystemd-bus/sd-bus.c @@ -1101,7 +1101,7 @@ _public_ int sd_bus_open_user(sd_bus **ret) { #ifdef ENABLE_KDBUS asprintf(&b->address, KERNEL_USER_BUS_FMT ";" UNIX_USER_BUS_FMT, (unsigned long) getuid(), ee); #else -asprintf(&b->address, UNIX_USER_BUS_FMT, (unsigned long) getuid()); +asprintf(&b->address, UNIX_USER_BUS_FMT, ee); #endif } else { #ifdef ENABLE_KDBUS -- 1.8.4.2 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Apparmor profile switching support
As discussed on the SELinux thread, this patch attempt to offer the same level of configuration for Apparmor distributions by permitting to the sysadmin to set the profile used by a unit. I didn't tested it but would like to get early feedback on it from openSUSE and Ubuntu users, as they are the 2 main set of users of AppArmor. Main inspiration come from the upstart support, on https://code.launchpad.net/~mdeslaur/upstart/apparmor-support However, we are currently lacking the capacity of using directly a on disk profile, and I am not sure on the best way to support that. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 1/2] Add switch_apparmor_profile helper, to switch the profile of the next command to run. This can be used to load a custom apparmor profile for a unit.
From: Michael Scherer --- src/shared/apparmor-util.c | 15 +++ src/shared/apparmor-util.h | 1 + 2 files changed, 16 insertions(+) diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c index 2b85da1..a75bec4 100644 --- a/src/shared/apparmor-util.c +++ b/src/shared/apparmor-util.c @@ -39,3 +39,18 @@ bool use_apparmor(void) { return use_apparmor_cached; } + +int switch_apparmor_profile(const char * profile) { +_cleanup_free_ char *filename = NULL; +_cleanup_fclose_ FILE *proc = NULL; + +if (asprintf (&filename, "/proc/%d/attr/exec", getpid()) <0) +return -ENOMEM; + +proc = fopen (filename, "w"); +if (! proc) +return -errno; + +fprintf (proc, "exec %s\n", profile); +return 0; +} diff --git a/src/shared/apparmor-util.h b/src/shared/apparmor-util.h index 4b056a1..f27608d 100644 --- a/src/shared/apparmor-util.h +++ b/src/shared/apparmor-util.h @@ -24,3 +24,4 @@ #include bool use_apparmor(void); +int switch_apparmor_profile(const char * profile); -- 1.8.4.2 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 2/2] Add AppArmor profile switching
From: Michael Scherer This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. --- man/systemd.exec.xml | 12 src/core/dbus-execute.c | 1 + src/core/execute.c| 19 +++ src/core/execute.h| 2 ++ src/core/load-fragment-gperf.gperf.m4 | 3 ++- src/shared/exit-status.c | 3 +++ src/shared/exit-status.h | 3 ++- 7 files changed, 41 insertions(+), 2 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 17748d4..250de13 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -931,6 +931,18 @@ + AppArmorProfile= + +Take a profile name as argument. +The process executed by the unit will switch to +this profile when started. Profiles must already +be loaded in the kernel, or the unit will fail. +This result in a non operation if AppArmor is not +enabled. + + + + IgnoreSIGPIPE= Takes a boolean diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index b79a456..df55fd0 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -422,6 +422,7 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SameProcessGroup", "b", bus_property_get_bool, offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST), +SD_BUS_PROPERTY("AppArmorProfile", "s", NULL, offsetof(ExecContext, apparmor_profile), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("IgnoreSIGPIPE", "b", bus_property_get_bool, offsetof(ExecContext, ignore_sigpipe), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("NoNewPrivileges", "b", bus_property_get_bool, offsetof(ExecContext, no_new_privileges), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SystemCallFilter", "au", property_get_syscall_filter, 0, SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/execute.c b/src/core/execute.c index 6ae9a5e..b0f4cd7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -68,6 +68,7 @@ #include "fileio.h" #include "unit.h" #include "async.h" +#include "apparmor-util.h" #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC) #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC) @@ -1570,6 +1571,16 @@ int exec_spawn(ExecCommand *command, goto fail_child; } } + +if (context->apparmor_profile) { +if (use_apparmor()) { +err = switch_apparmor_profile(context->apparmor_profile); +if (err < 0) { +r = EXIT_APPARMOR; +goto fail_child; +} +} +} } err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env); @@ -1728,6 +1739,9 @@ void exec_context_done(ExecContext *c) { free(c->utmp_id); c->utmp_id = NULL; +free(c->apparmor_profile); +c->apparmor_profile = NULL; + free(c->syscall_filter); c->syscall_filter = NULL; } @@ -2096,6 +2110,11 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fprintf(f, "%sUtmpIdentifier: %s\n", prefix, c->utmp_id); + +if (c->apparmor_profile) +fprintf(f, +"%sAppArmorProfile: %s\n", +prefix, c->apparmor_profile); } void exec_status_start(ExecStatus *s, pid_t pid) { diff --git a/src/core/execute.h b/src/core/execute.h index 989373f..754f163 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -133,6 +133,8 @@ struct ExecContext { char *utmp_id; +char *apparmor_profile; + char **read_write_dirs, **read_only_dirs, **inaccessible_dirs; unsigned long mount_flags; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index a5033b2..d5d891e 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/sr
[systemd-devel] [PATCH] Add SELinuxContext configuration item
From: Michael Scherer This permit to let system administrators decide of the domain of a service. This can be used with templated units to have each service in a différent domain ( for example, a per customer database, using MLS or anything ), or can be used to force a non selinux enabled system (jvm, erlang, etc) to start in a different domain for each service. --- man/systemd.exec.xml | 11 +++ src/core/dbus-execute.c | 1 + src/core/execute.c| 27 +++ src/core/execute.h| 2 ++ src/core/load-fragment-gperf.gperf.m4 | 3 ++- src/shared/exit-status.c | 3 +++ src/shared/exit-status.h | 3 ++- 7 files changed, 48 insertions(+), 2 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 17748d4..d93de4c 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -931,6 +931,17 @@ +SELinuxContext= + +Set the SELinux context of the +executed process. If set, this will override the +automated domain transition. However, the policy +still need to autorize the transition. See + setexeccon3 +for details. + + + IgnoreSIGPIPE= Takes a boolean diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index b79a456..d1b7c58 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -422,6 +422,7 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SameProcessGroup", "b", bus_property_get_bool, offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST), +SD_BUS_PROPERTY("SELinuxContext", "s", NULL, offsetof(ExecContext, selinux_context), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("IgnoreSIGPIPE", "b", bus_property_get_bool, offsetof(ExecContext, ignore_sigpipe), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("NoNewPrivileges", "b", bus_property_get_bool, offsetof(ExecContext, no_new_privileges), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SystemCallFilter", "au", property_get_syscall_filter, 0, SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/execute.c b/src/core/execute.c index 6ae9a5e..2a6ceb4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -47,6 +47,10 @@ #include #endif +#ifdef HAVE_SELINUX +#include +#endif + #include "execute.h" #include "strv.h" #include "macro.h" @@ -1570,6 +1574,20 @@ int exec_spawn(ExecCommand *command, goto fail_child; } } +#ifdef HAVE_SELINUX +if (context->selinux_context) { +err = security_check_context(context->selinux_context); +if (err < 0) { +r = EXIT_SELINUX_CONTEXT; +goto fail_child; +} +err = setexeccon(context->selinux_context); +if (err < 0) { +r = EXIT_SELINUX_CONTEXT; +goto fail_child; +} +} +#endif } err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env); @@ -1728,6 +1746,9 @@ void exec_context_done(ExecContext *c) { free(c->utmp_id); c->utmp_id = NULL; +free(c->selinux_context); +c->selinux_context = NULL; + free(c->syscall_filter); c->syscall_filter = NULL; } @@ -2096,6 +2117,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fprintf(f, "%sUtmpIdentifier: %s\n", prefix, c->utmp_id); + +if (c->selinux_context) +fprintf(f, +"%sSELinuxContext: %s\n", +prefix, c->selinux_context); + } void exec_status_start(ExecStatus *s, pid_t pid) { diff --git a/src/core/execute.h b/src/core/execute.h index 989373f..4aeee2c 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -133,6 +133,8 @@ struct ExecContext { char *utmp_id; +char *selinux_context; + char **read_wr
[systemd-devel] [PATCH] Add a bit more explicit message, to help confused users
From: Michael Scherer Seeing http://www.happyassassin.net/2013/09/27/further-sysadmin-adventures-wheres-my-freeipa-badge/ it seems that the default message is a bit confusing for people who never encountered it before, so adding a link to the manpage could help them. --- tmpfiles.d/systemd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf index c397c71..b630440 100644 --- a/tmpfiles.d/systemd.conf +++ b/tmpfiles.d/systemd.conf @@ -22,7 +22,7 @@ d /run/systemd/users 0755 root root - d /run/systemd/machines 0755 root root - d /run/systemd/shutdown 0755 root root - -F /run/nologin 0644 - - - "System is booting up." +F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)" m /var/log/journal 2755 root systemd-journal - - m /var/log/journal/%m 2755 root systemd-journal - - -- 1.8.3.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] fix typo in documentation of systemd-machined
From: Michael Scherer --- man/systemd-machined.service.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/systemd-machined.service.xml b/man/systemd-machined.service.xml index abe221a..352b4a0 100644 --- a/man/systemd-machined.service.xml +++ b/man/systemd-machined.service.xml @@ -45,7 +45,7 @@ systemd-machined.service systemd-machined -Virtual machine and container registartion manager +Virtual machine and container registration manager -- 1.8.3.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel