[Dev] smack setup incomplete, systemd-journal fails

Schaufler, Casey casey.schaufler at intel.com
Thu Dec 19 16:32:49 GMT 2013


> -----Original Message-----
> From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
> Sent: Thursday, December 19, 2013 12:58 AM
> To: Schaufler, Casey
> Cc: dev at lists.tizen.org
> Subject: Re: [Dev] smack setup incomplete, systemd-journal fails
> 
> It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote:
> >> -----Original Message-----
> >> From: dev-bounces at lists.tizen.org
> >> [mailto:dev-bounces at lists.tizen.org] On Behalf Of Lukasz Stelmach
> >> Sent: Wednesday, December 18, 2013 9:52 AM
> >>
> >> Hi,
> >>
> >> I've got quite a recent RD-PQ image: tizen_20131217.8. There is a
> >> problem with systemd-journald failing to start because
> >
> > Where did you get this image? What are you running it on?
> 
> http://download.tizen.org/snapshots/tizen/rd-pq/tizen_20131217.8/
> 
> >> + "Failed to open /dev/kmsg, ignoring: Permission denied"
> >
> > This looks like you don't have the systemd rules file
> > 55-udev-default-smack-rules. This might indicate that the images do
> > not have a current version of systemd. A temporary workaround is:
> >
> > 	chsmack -a '*' /dev/kmsg
> 
> root:~> chsmack /dev/kmsg
> /dev/kmsg access="*"
> 
> This happens at some point because after systemd manages start I can see
> /dev/kmsg labeled with '*'. However, journald tries to
> 
> >> + "Failed to open runtime journal: No such file or directory"
> >
> > This is most likely the Smack label on /var/log. A fix is in the works
> > for the general problem of /var/log. A temporary workaround is
> >
> > 	chsmack -a '*' /var/log
> 
> "Runtime journal" is in /run/log. And there is no /run/log directory which may
> suggest journald is unable to create it.
> 
> root:~> chsmack /run
> /run access="_"

This is a clear indication that systemd is not mounting /run.
When systemd mounts /run it uses the smackfstransmute
option to set the hierarchy to System::Run.

 
> >> Apparently something wrong happens with smack settings because, the
> >> problem does not appear with security=none present at kernel
> >> commandline.
> >
> > What shows up in /sys/fs/smackfs/load2?
> 
> --8<---------------cut here---------------start------------->8---
> root:~> cat /sys/fs/smackfs/load2 | wc -l
> 915
> root:~> cat /sys/fs/smackfs/load2 | grep -v ^org.tizen\\\|^com.samsung |
> sort System System::Run rwxat System System::Shared rwxat System User
> rwx System ^ rwxa User System wx User System::Run rwxat User
> System::Shared rx ^ System rwxa ^ System::Run rwxat _ System wx _
> System::Run rwxat _default_ 57r43275q7 rw _default_ System rw _default_
> User rw _default_ ^ rw _default_ cp7ipabg4k rw _default_ deviced rw

Your manifests have been copied from Tizen 2.

*This will not work*. Find all of the manifests that define domains
and change them to the default floor manifest. There is no
point in trying to track down any Smack related issues while
the manifests are in their current, Tizen 3 incompatible state.
By my count there are about 139 manifests that must be corrected.

Please refer to:

https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel


> _default_ libug-phone rw _default_ oma-dm-agent rw _default_ oma-ds-
> ...
> efl com.samsung.gallery x webkit2-efl org.tizen.email rwx --8<---------------
> cut here---------------end--------------->8---
> 
> --
> Łukasz Stelmach
> Samsung R&D Institute Poland
> Samsung Electronics


More information about the Dev mailing list