[systemd-devel] rootless nspawn scope clean-up

...@defensec.nl (wkd) Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcini...@defensec.nl

Re: [systemd-devel] why does sd-pam not run as root?

Thorsten Kukuk writes: > On Thu, Jul 24, 2025 at 11:15 AM Dominick Grift > wrote: > >> I noticed that pam_wtmpdb was unhappy too for some reason. > > There should be a systemd socket activated wtmpdb daemon for that > reason. Either your wtmpdb version is too old, the s

Re: [systemd-devel] why does sd-pam not run as root?

Dominick Grift writes: > Dominick Grift writes: > >> Michal Koutný writes: >> >>> On Tue, Jul 22, 2025 at 06:21:28PM +0200, Dominick Grift >>> wrote: >>>> To be clear: >>>> >>>> 1. currently sd-pam does not always ru

Re: [systemd-devel] why does sd-pam not run as root?

Dominick Grift writes: > Michal Koutný writes: > >> On Tue, Jul 22, 2025 at 06:21:28PM +0200, Dominick Grift >> wrote: >>> To be clear: >>> >>> 1. currently sd-pam does not always run as root >> >> Ah, good. >> >>> 2. wh

Re: [systemd-devel] why does sd-pam not run as root?

Michal Koutný writes: > On Tue, Jul 22, 2025 at 06:21:28PM +0200, Dominick Grift > wrote: >> To be clear: >> >> 1. currently sd-pam does not always run as root > > Ah, good. > >> 2. when sd-pam does not run as root then it lacks permission needed to >

Re: [systemd-devel] why does sd-pam not run as root?

Michal Koutný writes: > Hello Dominick. > > On Tue, Jul 22, 2025 at 09:42:59AM +0200, Dominick Grift > wrote: >> >> From what I understand the sd-pam process is responsible for "PAM >> close" but it cannot do its job properly if it does not have pr

[systemd-devel] why does sd-pam not run as root?

A7E 521F 10F6 4098 Dominick Grift Mastodon: @kcini...@defensec.nl

Re: [systemd-devel] run0 and run0 versus machinectl shell

Lennart Poettering writes: > On Do, 17.10.24 09:58, Dominick Grift (dominick.gr...@defensec.nl) wrote: > >> >> I am encountering three issues with run0: >> >> 1. not upstream related but Debian (currently) does not install >> systemd-run0 pamname > >

[systemd-devel] run0 and run0 versus machinectl shell

my perspective run0 is pretty much similar to machinectl shell (.host) but I don't really get why the implementation differs in the ways that it does. -- gpg --locate-keys dominick.gr...@defensec.nl (wkd) Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon

Re: [systemd-devel] /etc/machine-id has wrong SELinux file context and changes on second boot

nment). > > Do you have an idea how to work around this problem? > > Best, > Holger -- gpg --locate-keys dominick.gr...@defensec.nl (wkd) Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcini...@defensec.nl

[systemd-devel] systemd-pcrlock Failed to submit super PCR policy

rlock[35974]: Ignoring device path element type=0x01 subtype=0x01 Feb 04 20:00:01 nimbus systemd-pcrlock[35974]: Ignoring device path element type=0x02 subtype=0x01 Feb 04 20:00:01 nimbus systemd-pcrlock[35974]: Ignoring device path element type=0x04 subtype=0x08 Feb 04 20:00:01 nimbus systemd-pcr

Re: [systemd-devel] [systemd SELinux] system status permission

On Mon, Oct 07, 2019 at 06:51:57PM +0200, Dominick Grift wrote: > On Mon, Oct 07, 2019 at 11:03:44AM -0500, Ian Pilcher wrote: > > I am hitting this (non-fatal) denial when reloading a service via the > > systemd dbus API: > > > > > type=USER_AVC msg=audit(15

Re: [systemd-devel] [systemd SELinux] system status permission

== > Ian Pilcher arequip...@gmail.com > "I grew up before Mark Zuckerberg invented friendship" > =====

Re: [systemd-devel] grant users access to certain services only

On Fri, Aug 21, 2015 at 01:50:31PM +0300, Mantas Mikulėnas wrote: > On Fri, Aug 21, 2015 at 1:43 PM, Dominick Grift > wrote: > > > On Fri, Aug 21, 2015 at 01:38:28PM +0300, Mantas Mikulėnas wrote: > > > > > > > > Do they have access to `cat /proc/self/mo

Re: [systemd-devel] grant users access to certain services only

t/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgplvuCg2ZlLW.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] grant users access to certain services only

On Fri, Aug 21, 2015 at 08:25:56PM +1000, Daurnimator wrote: > On 21 August 2015 at 19:57, Dominick Grift wrote: > > i think it kind of sucks that systemctl --user list-units can be used to > > determine who is currently logged in. > > You can see with `loginctl list-user

Re: [systemd-devel] grant users access to certain services only

F3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgpNZmfN8MOtq.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] grant users access to certain services only

83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] grant users access to certain services only

stop status }; -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org

Re: [systemd-devel] [HEADSUP] systemd-222 around the corner

On Tue, Jul 07, 2015 at 09:56:45AM +0100, Richard Maw wrote: > On Tue, Jul 07, 2015 at 09:25:21AM +0300, Andrei Borzenkov wrote: > > On Tue, Jul 7, 2015 at 9:02 AM, Dominick Grift > > wrote: > > > Would be nice if anyone could at least confirm or deny this issue that

Re: [systemd-devel] [HEADSUP] systemd-222 around the corner

3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgpFIFO8nUgqE.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.or

[systemd-devel] [PATCH] selinux: fix missing SELinux unit access check

Development has moved to github.com/systemd It is probably better to submit a Github Push Request there if you have not done so already. Thanks -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick G

Re: [systemd-devel] [HEADSUP] nspawn/networkd: moving from iptables to nftables

_%28NAT%29 -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgp7lkZAcaafY.pgp Description: PGP signature ___ systemd-devel mailing list

Re: [systemd-devel] systemd-nspawn trouble

ould be, mostly, transparent to applications and services. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgpbPvtZbgCoo.pgp Description: PGP signature ___

Re: [systemd-devel] systemd-nspawn trouble

.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgpNEepiniQub.pgp Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] SELinux labels on unix sockets

On Wed, Mar 25, 2015 at 10:31:41PM +0100, Dominick Grift wrote: > For the sock *file*, i would argue, that indeed the "setfscreatecon" is not > strictly needed, and that the labeling for this can be taken care of by using > type transition rules in the security policy as sugge

Re: [systemd-devel] SELinux labels on unix sockets

n() stuff should stay, and the setfscreatecon() stuff should *probably* go. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift pgpuyk4nWBLag.pgp Description: PGP signature ___