[Dev] smack setup incomplete, systemd-journal fails

Łukasz Stelmach l.stelmach at samsung.com
Mon Dec 23 14:06:32 GMT 2013


It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote:
>> -----Original Message-----
>> From: dev-bounces at lists.tizen.org [mailto:dev-bounces at lists.tizen.org] On
>> Behalf Of Lukasz Stelmach
>> Sent: Wednesday, December 18, 2013 9:52 AM
>> To: dev at lists.tizen.org
>> Subject: [Dev] smack setup incomplete, systemd-journal fails
>> 
>> Hi,
>> 
>> I've got quite a recent RD-PQ image: tizen_20131217.8. There is a problem
>> with systemd-journald failing to start because
>
> Where did you get this image? What are you running it on?
>
>> 
>> + "Failed to open /dev/kmsg, ignoring: Permission denied"
>
> This looks like you don't have the systemd rules file
> 55-udev-default-smack-rules. This might indicate that the images do
> not have a current version of systemd. A temporary workaround is:
>
> 	chsmack -a '*' /dev/kmsg

Not that simple :-D The problem is in smack_syslog() from smack_lsm.c.

With the following patch applied:

--8<---------------cut here---------------start------------->8---
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 3f01cf5..952e8cd 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -226,18 +226,20 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
 static int smack_syslog(int typefrom_file)
 {
 	int rc = 0;
+	struct smk_audit_info ad;
 	struct smack_known *skp = smk_of_current();
 
 	if (smack_privileged(CAP_MAC_OVERRIDE))
 		return 0;
 
-	 if (skp != &smack_known_floor)
+	if (skp != &smack_known_floor)
 		rc = -EACCES;
 
+	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE);
+	smack_log(skp->smk_known, "", 0, rc, &ad);
 	return rc;
 }
 
-
 /*
  * Superblock Hooks.
  */
--8<---------------cut here---------------end--------------->8---

and console messages:

--8<---------------cut here---------------start------------->8---
[    5.542679] type=1400 audit(946697015.045:2): lsm=SMACK fn=smack_syslog action=denied subject="System" object="" requested= pid=1259 comm="systemd-journal"
Failed to open /dev/kmsg, ignoring: Permission denied
[...]
root:~> systemctl status systemd-journald.service
systemd-journald.service - Journal Service
   Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static)
   Active: active (running) since Fri 1999-12-31 19:23:34 PST; 10min ago
     Docs: man:systemd-journald.service(8)
           man:journald.conf(5)
 Main PID: 1259 (systemd-journal)
   Status: "Processing requests..."
   CGroup: /system.slice/systemd-journald.service
           └─1259 /usr/lib/systemd/systemd-journald

[...]
--8<---------------cut here---------------end--------------->8---


The cause is more than obvious. However, the solution (at least to me)
is not.

With systemd-journald running with label "System" and not "_" and
without CAP_MAC_OVERRIDE it gets naked in smack_syslog. We need some
kind of a solution here. 

-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20131223/02526df6/attachment.sig>


More information about the Dev mailing list