[Dev] smack setup incomplete, systemd-journal fails

Łukasz Stelmach l.stelmach at samsung.com
Fri Dec 20 09:53:14 GMT 2013


It was <2013-12-19 czw 19:41>, when Schaufler, Casey wrote:
>> -----Original Message-----
>> From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
>> Sent: Thursday, December 19, 2013 10:27 AM
>> To: Schaufler, Casey
>> Cc: dev at lists.tizen.org
>> Subject: Re: [Dev] smack setup incomplete, systemd-journal fails
>> 
>> It was <2013-12-19 czw 18:26>, when Schaufler, Casey wrote:
>>>> -----Original Message-----
>>>> From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
>>>> Sent: Thursday, December 19, 2013 9:19 AM
>>>> To: Schaufler, Casey
>>>> Cc: dev at lists.tizen.org
>>>> Subject: Re: [Dev] smack setup incomplete, systemd-journal fails
>>>>
>>>> It was <2013-12-19 czw 17:32>, when Schaufler, Casey wrote:
>>>>> -----Original Message-----
>>>>> From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
>>>>> Sent: Thursday, December 19, 2013 12:58 AM
>>>>>> It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: dev-bounces at lists.tizen.org
>>>>>>> [mailto:dev-bounces at lists.tizen.org] On Behalf Of Lukasz
>>>>>>> Stelmach
>>>>>>> Sent: Wednesday, December 18, 2013 9:52 AM
>>>>>>>> + "Failed to open runtime journal: No such file or directory"
>>>>>>>
>>>>>>> This is most likely the Smack label on /var/log. A fix is in the
>>>>>>> works for the general problem of /var/log. A temporary
>>>>>>> workaround is
>>>>>>>
>>>>>>> 	chsmack -a '*' /var/log
>>>>>>
>>>>>> "Runtime journal" is in /run/log. And there is no /run/log
>>>>>> directory which may suggest journald is unable to create it.
>>>>>>
>>>>>> root:~> chsmack /run
>>>>>> /run access="_"
>>>>>
>>>>> This is a clear indication that systemd is not mounting /run.
>>>>> When systemd mounts /run it uses the smackfstransmute option to set
>>>>> the hierarchy to System::Run.
>>>>
>>>> [   20.297116] tmpfs: Bad mount option smackfstransmute
>>>>
>>>> Apparently I need to back-port it.
>>>
>>> There is a set of kernel patches required.
>>> Look at the ivi kernel change log.
>>> The base kernel version that mobile uses will of course impact which
>> patches are required.
>> 
>> Correct me if I am wrong:
>> 
>> git log --format=oneline $(git merge-base  tizen-mobile/tizen tizen-
>> ivi/tizen)..tizen-ivi/tizen -- security/smack/
>> 
>> shows I need to take these
>> 
>> e830b394 Smack: Add smkfstransmute mount option
>> 2f823ff8 Smack: Improve access check performance
>> c6739443 Smack: Local IPv6 port based controls
>
> You also need:
>
> 8ff4ac65: Smack: Cgroup filesystem access
> 	The *only* place you'll see this is the ivi tree. It is not upstream.
> cb6108a4: Smack: Ptrace access check mode
> d5ec1d65: Smack: Implement lock security mode
>  

I've decided to take all the patches for Smack avaialble in ivi tree

--8<---------------cut here---------------start------------->8---
13482179 Smack: Cgroup filesystem access
4b6e1f27 Smack: Ptrace access check mode
15a27374 Smack: Implement lock security mode
10289b0f Smack: parse multiple rules per write to load2, up to PAGE_SIZE-1 bytes
6ea06247 Smack: IPv6 casting error fix for 3.11
677264e8 Smack: network label match fix
4d7cf4a1 security: smack: add a hash table to quicken smk_find_entry()
470043ba security: smack: fix memleak in smk_write_rules_list()
9548906b xattr: Constify ->name member of "struct xattr".
746df9b5 Security: Add Hook to test if the particular xattr is part of a MAC model.
0fcfee61 Smack: Fix the bug smackcipso can't set CIPSO correctly
8cd77a0b Smack: Fix possible NULL pointer dereference at smk_netlbl_mls()
e830b394 Smack: Add smkfstransmute mount option
2f823ff8 Smack: Improve access check performance
c6739443 Smack: Local IPv6 port based controls
--8<---------------cut here---------------end--------------->8---

Things appear to work no worse than they did before. Apparently we need
to rebase the mobile kernel.

Thank you very much for your assitance.

>> to get what I need these assuming tizen-mobile and tizen-ivi are
>> respectively.
>> 
>> git://review.tizen.org/platform/kernel/linux-3.10.git
>> git://review.tizen.org/profile/ivi/kernel-x86-ivi.git
>
> The ivi tree is 3.12 based. You may have other issues using a 3.10 kernel.


-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20131220/3f07d0df/attachment.sig>


More information about the Dev mailing list