1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-07 01:27:11 +03:00
Commit Graph

15 Commits

Author SHA1 Message Date
Lennart Poettering
7a22745ac3 socket: support netlink sockets 2011-04-10 03:27:00 +02:00
Andrey Borzenkov
f89f1e8f83 socket: fix IPv6 availability detection
If IPv6 is loaded with disable=1, any IPv6 functionality is completely
disabled until the ipv6 module is reloaded. Do not assume IPv6 is available just
because the module is present. Fixes startup error:

Oct 27 20:58:02 cooker kernel: IPv6: Loaded, but administratively disabled, reboot required to enable
Oct 27 20:58:02 cooker kernel: systemd[1]: Set hostname to <cooker>.
Oct 27 20:58:02 cooker kernel: systemd[1]: Netlink failure for request 2: Operation not supported
Oct 27 20:58:02 cooker kernel: systemd[1]: Failed to configure loopback device: Operation not supported
2010-10-28 00:37:57 +02:00
Lennart Poettering
0e098b15c7 util: never use sizeof(sa_family_t) when calculating sockaddr sizes 2010-10-07 02:34:17 +02:00
Fabiano Fidencio
5bfcc1c6ef socket: Support IPv6-less systems with runtime check.
This patch introduces socket_ipv6_is_supported() call that checks for
IPv6 availability. Code then check for it before using specific calls.

In order to be less intrusive, this patch avoids IPv6 entries being
parsed at all, this way we don't get such entries in the system and
all other code paths are automatically ignored. However an extra check
is done at socket_address_listen() to make sure of that.

As the number of Netlink messages is not know upfront anymore,
loopback-setup.c was refactored to dynamically calculate the sequence
number and count.

Lennart's suggestions were fixed and squashed with the original patch,
that was sent by Gustavo Sverzut Barbieri (barbieri@profusion.mobi).
2010-09-21 01:00:38 +02:00
Lennart Poettering
d6c9574fb5 emacs: make sure nobody accidently adds tabs to our sources 2010-08-14 19:59:25 +02:00
Lennart Poettering
e51bc1a23e selinux: split off selinux calls into seperate file label.c 2010-08-11 22:58:34 +02:00
Daniel J Walsh
56cf987fe7 Systemd is causing mislabeled devices to be created and then attempting to read them.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/28/2010 05:57 AM, Kay Sievers wrote:
> On Wed, Jul 28, 2010 at 11:43, Lennart Poettering
> <lennart@poettering.net> wrote:
>> On Mon, 26.07.10 16:42, Daniel J Walsh (dwalsh@redhat.com) wrote:
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>> type=1400 audit(1280174589.476:7): avc:  denied  { read } for  pid=1
>>> comm="systemd" name="autofs" dev=devtmpfs ino=9482
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>> type=1400 audit(1280174589.476:8): avc:  denied  { read } for  pid=1
>>> comm="systemd" name="autofs" dev=devtmpfs ino=9482
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>>
>>> Lennart, we talked about this earlier.  I think this is caused by the
>>> modprobe calls to create /dev/autofs.  Since udev is not created at the
>>> point that init loads the kernel modules, the devices get created with
>>> the wrong label.  Once udev starts the labels get fixed.
>>>
>>> I can allow init_t to read device_t chr_files.
>>
>> Hmm, I think a cleaner fix would be to make systemd relabel this device
>> properly before accessing it? Given that this is only one device this
>> should not be a problem for us to maintain, I think? How would the
>> fixing of the label work? Would we have to spawn restorecon for this, or
>> can we actually do this in C without too much work?
>
> I guess we can just do what udev is doing, and call setfilecon(), with
> a context of an earlier matchpathcon().
>
> Kay
> _______________________________________________
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Here is the updated patch with a fix for the labeling of /dev/autofs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxQMyoACgkQrlYvE4MpobNviACfWgxsjW2xzz1qznFex8RVAQHf
gIEAmwRmRcLvGqYtwQaZ3WKIg8wmrwNk
=pC2e
2010-08-03 23:45:22 +02:00
Daniel J Walsh
7a58bfa4ae socket: SELinux support for socket creation.
It seems to work on my machine.

/proc/1/fd/20	system_u:system_r:system_dbusd_t:s0

/proc/1/fd/21	system_u:system_r:avahi_t:s0

And the AVC's seem to have dissapeared when a confined app trys to
connect to dbus or avahi.

If you run with this patch and selinux-policy-3.8.8-3.fc14.noarch
You should be able to boot in enforcing mode.
2010-07-23 05:12:13 +02:00
Lennart Poettering
b15bdda870 socket: prepare for proper selinux labelling of sockets 2010-07-16 19:42:27 +02:00
Lennart Poettering
b12c1e7cf7 socket: pass minimal abstract socket names 2010-07-11 02:23:11 +02:00
Kay Sievers
16c42ce173 socket: define IP_FREEBIND if not defined 2010-07-01 17:44:13 +02:00
Lennart Poettering
4fd5948e74 socket: make various socket/pipe options configurable 2010-07-01 00:29:17 +02:00
Lennart Poettering
27ca8d7a25 socket: verify socket type properly when desrializing 2010-06-05 00:52:49 +02:00
Lennart Poettering
c0120d992c socket: fix parsing of bind_ipv6_only 2010-05-21 23:41:25 +02:00
Lennart Poettering
e99e38bbdc build-sys: move source files to subdirectory 2010-05-16 18:45:24 +02:00