[Dev] smack setup incomplete, systemd-journal fails

Łukasz Stelmach l.stelmach at samsung.com
Thu Dec 19 16:40:37 GMT 2013


It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote:
>> -----Original Message-----
>> From: dev-bounces at lists.tizen.org [mailto:dev-bounces at lists.tizen.org] On
>> Behalf Of Lukasz Stelmach
>> Sent: Wednesday, December 18, 2013 9:52 AM
>> Hi,

A day of investigation.

>> I've got quite a recent RD-PQ image: tizen_20131217.8. There is a problem
>> with systemd-journald failing to start because
>
> Where did you get this image? What are you running it on?
>
>> 
>> + "Failed to open /dev/kmsg, ignoring: Permission denied"
>
> This looks like you don't have the systemd rules file
> 55-udev-default-smack-rules. This might indicate that the images do
> not have a current version of systemd. A temporary workaround is:

I've got the file. The version is as current as possible but it does not
do:

> 	chsmack -a '*' /dev/kmsg

unless patched with[fn:1]

>> + "Failed to open runtime journal: No such file or directory"
>
> This is most likely the Smack label on /var/log. A fix is in the works
> for the general problem of /var/log. A temporary workaround is
>
> 	chsmack -a '*' /var/log

As I wrote this is about /run and /run/log

--8<---------------cut here---------------start------------->8---
2597  execve("/usr/lib/systemd/systemd-journald", ["/usr/lib/systemd/systemd-journald"], [/* 5 vars */])            = 0
[...]
2597  open("/dev/kmsg", O_RDWR|O_NOCTTY|O_NONBLOCK|O_LARGEFILE|O_CLOEXEC) = -1 EACCES (Permission denied)
[...]
2597  mkdir("/run", 0755)               = -1 EEXIST (File exists)
2597  mkdir("/run/log", 0755)           = -1 EACCES (Permission denied)
2597  open("/run/log/journal/a7d44123bd584b19b949cd3701a47293/system.journal", O_RDWR|O_CREAT|O_LARGEFILE|O_CLOEXEC, 0640) = -1 ENOENT (No such file or directory)
2597  writev(2, [{"Failed to open runtime journal: No such file or directory", 57}, {"\n", 1}], 2) = 58
--8<---------------cut here---------------end--------------->8---

--8<---------------cut here---------------start------------->8---
root:~> dmesg  | grep lsm=SMACK | tail -1 
[ 2183.931852] type=1400 audit(946715231.815:14): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="_" requested=wx pid=2597 comm="systemd-journal" name="/" dev="tmpfs" ino=1293
root:~> mount | awk ' (/^tmpfs/){print $3}'  | xargs -i find '{}' -inum 1293
/run
root:~> chsmack /run
/run access="_"
root:~> chsmack /dev/kmsg 
/dev/kmsg access="*"
--8<---------------cut here---------------end--------------->8---

PID 2597 was systemd-journald running with the  System label.

I wonder why /dev/kmsg is a problem.

>> Apparently something wrong happens with smack settings because, the
>> problem does not appear with security=none present at kernel
>> commandline.
>
> What shows up in /sys/fs/smackfs/load2?

--8<---------------cut here---------------start------------->8---
root:~> grep ^System /sys/fs/smackfs/load2
System User rwx
System ^ rwxa
System System::Shared rwxat
System System::Run rwxat
--8<---------------cut here---------------end--------------->8---

but /run is not labeled with System::Run.

Footnotes:

[fn:1] http://lists.freedesktop.org/archives/systemd-devel/2013-December/015740.html

-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20131219/d838c88b/attachment-0001.sig>


More information about the Dev mailing list