[Dev] smack setup incomplete, systemd-journal fails

Schaufler, Casey casey.schaufler at intel.com
Thu Dec 19 18:41:03 GMT 2013


> -----Original Message-----
> From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
> Sent: Thursday, December 19, 2013 10:27 AM
> To: Schaufler, Casey
> Cc: dev at lists.tizen.org
> Subject: Re: [Dev] smack setup incomplete, systemd-journal fails
> 
> It was <2013-12-19 czw 18:26>, when Schaufler, Casey wrote:
> >> -----Original Message-----
> >> From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
> >> Sent: Thursday, December 19, 2013 9:19 AM
> >> To: Schaufler, Casey
> >> Cc: dev at lists.tizen.org
> >> Subject: Re: [Dev] smack setup incomplete, systemd-journal fails
> >>
> >> It was <2013-12-19 czw 17:32>, when Schaufler, Casey wrote:
> >> > -----Original Message-----
> >> > From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
> >> > Sent: Thursday, December 19, 2013 12:58 AM
> >> >> It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote:
> >> >>>> -----Original Message-----
> >> >>>> From: dev-bounces at lists.tizen.org
> >> >>>> [mailto:dev-bounces at lists.tizen.org] On Behalf Of Lukasz
> >> >>>> Stelmach
> >> >>>> Sent: Wednesday, December 18, 2013 9:52 AM
> >> >>>>
> >> >>>> Hi,
> >> >>>>
> >> >>>> I've got quite a recent RD-PQ image: tizen_20131217.8. There is
> >> >>>> a problem with systemd-journald failing to start because
> >> >>>
> >> >>> Where did you get this image? What are you running it on?
> >> >>
> >> >> http://download.tizen.org/snapshots/tizen/rd-pq/tizen_20131217.8/
> >> >>
> >>
> >> [...]
> >>
> >> >> >> + "Failed to open runtime journal: No such file or directory"
> >> >> >
> >> >> > This is most likely the Smack label on /var/log. A fix is in the
> >> >> > works for the general problem of /var/log. A temporary
> >> >> > workaround is
> >> >> >
> >> >> > 	chsmack -a '*' /var/log
> >> >>
> >> >> "Runtime journal" is in /run/log. And there is no /run/log
> >> >> directory which may suggest journald is unable to create it.
> >> >>
> >> >> root:~> chsmack /run
> >> >> /run access="_"
> >> >
> >> > This is a clear indication that systemd is not mounting /run.
> >> > When systemd mounts /run it uses the smackfstransmute option to set
> >> > the hierarchy to System::Run.
> >>
> >> [   20.297116] tmpfs: Bad mount option smackfstransmute
> >>
> >> Apparently I need to back-port it.
> >
> > There is a set of kernel patches required.
> > Look at the ivi kernel change log.
> > The base kernel version that mobile uses will of course impact which
> patches are required.
> 
> Correct me if I am wrong:
> 
> git log --format=oneline $(git merge-base  tizen-mobile/tizen tizen-
> ivi/tizen)..tizen-ivi/tizen -- security/smack/
> 
> shows I need to take these
> 
> e830b394 Smack: Add smkfstransmute mount option
> 2f823ff8 Smack: Improve access check performance
> c6739443 Smack: Local IPv6 port based controls

You also need:

8ff4ac65: Smack: Cgroup filesystem access
	The *only* place you'll see this is the ivi tree. It is not upstream.
cb6108a4: Smack: Ptrace access check mode
d5ec1d65: Smack: Implement lock security mode
 
> to get what I need these assuming tizen-mobile and tizen-ivi are
> respectively.
> 
> git://review.tizen.org/platform/kernel/linux-3.10.git
> git://review.tizen.org/profile/ivi/kernel-x86-ivi.git

The ivi tree is 3.12 based. You may have other issues using a 3.10 kernel.


> The patches apply cleanly. I will see tomorrow if they work
> 
> >> --8<---------------cut here---------------start------------->8---
> >> commit e830b39412ca2bbedd7508243f21c04d57ad543c
> >> Author: Casey Schaufler <casey at schaufler-ca.com>
> >> Date:   Wed May 22 18:43:07 2013 -0700
> >>
> >>     Smack: Add smkfstransmute mount option --8<---------------cut
> >> here---------------end--------------->8---
> 
> Best regards,
> --
> Łukasz Stelmach
> Samsung R&D Institute Poland
> Samsung Electronics


More information about the Dev mailing list