When ifdef systemd is enabled, some interfaces from systemd are called
unconditionally. This makes migrating from non-systemd to systemd
complicated since init is part of base and systemd is not so loading
fails. Moving them into optional_policy fixes this.
---
policy/modules/system/init.te | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c9e1532..fb7aafc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -280,13 +280,15 @@ ifdef(`init_systemd',`
seutil_read_file_contexts(init_t)
- systemd_relabelto_kmod_files(init_t)
- systemd_dbus_chat_logind(init_t)
-
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
optional_policy(`
+ systemd_relabelto_kmod_files(init_t)
+ systemd_dbus_chat_logind(init_t)
+ ')
+
+ optional_policy(`
dbus_system_bus_client(init_t)
dbus_connect_system_bus(init_t)
')
--
2.4.10
On 3/7/2016 3:45 AM, Jason Zaman wrote:
> When ifdef systemd is enabled, some interfaces from systemd are called
> unconditionally. This makes migrating from non-systemd to systemd
> complicated since init is part of base and systemd is not so loading
> fails. Moving them into optional_policy fixes this.
> ---
> policy/modules/system/init.te | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index c9e1532..fb7aafc 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -280,13 +280,15 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> - systemd_relabelto_kmod_files(init_t)
> - systemd_dbus_chat_logind(init_t)
> -
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> optional_policy(`
> + systemd_relabelto_kmod_files(init_t)
> + systemd_dbus_chat_logind(init_t)
> + ')
> +
> + optional_policy(`
> dbus_system_bus_client(init_t)
> dbus_connect_system_bus(init_t)
> ')
I don't think I follow. The lines are already in the init_systemd
block, so it doesn't make sense for them to be optional. Why wouldn't
systemd be in base, in this situation?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Mar 07, 2016 at 09:56:31AM -0500, Christopher J. PeBenito wrote:
> On 3/7/2016 3:45 AM, Jason Zaman wrote:
> > When ifdef systemd is enabled, some interfaces from systemd are called
> > unconditionally. This makes migrating from non-systemd to systemd
> > complicated since init is part of base and systemd is not so loading
> > fails. Moving them into optional_policy fixes this.
> > ---
> > policy/modules/system/init.te | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> > index c9e1532..fb7aafc 100644
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -280,13 +280,15 @@ ifdef(`init_systemd',`
> >
> > seutil_read_file_contexts(init_t)
> >
> > - systemd_relabelto_kmod_files(init_t)
> > - systemd_dbus_chat_logind(init_t)
> > -
> > # udevd is a "systemd kobject uevent socket activated daemon"
> > udev_create_kobject_uevent_sockets(init_t)
> >
> > optional_policy(`
> > + systemd_relabelto_kmod_files(init_t)
> > + systemd_dbus_chat_logind(init_t)
> > + ')
> > +
> > + optional_policy(`
> > dbus_system_bus_client(init_t)
> > dbus_connect_system_bus(init_t)
> > ')
>
> I don't think I follow. The lines are already in the init_systemd
> block, so it doesn't make sense for them to be optional. Why wouldn't
> systemd be in base, in this situation?
It comes from here: https://bugs.gentoo.org/568754
The problem is does not exist once you are in either init_systemd =
true/false. It is only a problem during the rebuild/reload when
transitioning from false->true.
The problem is init.pp is rebuilt with init_systemd enabled in the base
package. systemd.pp will be built later in sec-policy/selinux-systemd
(just like sec-policy/selinux-openrc) which systemd will depend on.
Having selinux-base provide systemd.pp seems a bit strange since then
even non-systemd people need the module loaded.
Once everything is loaded there are no problems anymore. The only
problem is migrating or during a first install when there is no policy
yet.
-- Jason
On 3/7/2016 3:45 AM, Jason Zaman wrote:
> When ifdef systemd is enabled, some interfaces from systemd are called
> unconditionally. This makes migrating from non-systemd to systemd
> complicated since init is part of base and systemd is not so loading
> fails. Moving them into optional_policy fixes this.
> ---
> policy/modules/system/init.te | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index c9e1532..fb7aafc 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -280,13 +280,15 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> - systemd_relabelto_kmod_files(init_t)
> - systemd_dbus_chat_logind(init_t)
> -
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> optional_policy(`
> + systemd_relabelto_kmod_files(init_t)
> + systemd_dbus_chat_logind(init_t)
> + ')
> +
> + optional_policy(`
> dbus_system_bus_client(init_t)
> dbus_connect_system_bus(init_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com