On 07/14/2010 05:02 PM, Jeffrey Ollie wrote: > On Wed, Jul 14, 2010 at 2:13 PM, Lennart Poettering > <mzerqung@xxxxxxxxxxx> wrote: >> On Wed, 14.07.10 14:07, Jeffrey Ollie (jeff@xxxxxxxxxx) wrote: >> >>> >>> I've been trying to test systemd on my dev box but without success so >>> far. My system boots up and I get the usual GDM login screen and VTs >>> but I can't login. SSH fails as well. SSH gives me "Unable to get >>> valid context for jcollie" shows me the last login date and closes the >>> connection. I think I'm seeing a similar message on the console but >>> it flashes too quickly for me to be sure. >> >> Hmm, this smells a bit like policy problem. Could you try selinux=0 on >> the kernel cmdline to figure out if that makes things work? >> >> And please file a bug against systemd which I'll then reassign to >> selinux should this really be the problem. > > It looks like Bill Nottingham beat me to filing a bug: > > https://bugzilla.redhat.com/show_bug.cgi?id=614574 > > but at least with selinux in permissive mode I now have my rawhide > system booting up with systemd. > I thought I had checked it in, but I was leaving on Vacation and dropped the ball. Fixed in selinux-policy-3.8.7-1.fc14.noarch chcon -t init_exec_t /bin/systemd Will also fix it so you can boot in enforcing mode. I am changing my laptop to boot full time systemd to see what other gotchas. The biggest SELinux problem will be as we go to systemd impersonating other services. For example, if systemd was going to start mysql by listening on /var/run/mysql.socket. SELinux would expect the /var/run/mysql.socket to be labeled mysqld_var_run_t. Currently if systemd creates this socket it would be labeled init_var_run_t. Secondly if httpd tried to connect to this socket, SELinux enforces the rule that httpd_t can read/write a sock_file labeled mysqld_var_run_t and connectto services labeled mysqld_t. SELinux will deny httpd_t read/write sock_files labeled init_var_run_t and will not allow it to connectto processes labeled init_t. The best solution to this would be to get sysstemd process that is creating the sock_file and listening to impersonate mysqld_t. fork() setexec("system_u:system_r:mysqld_t:s0") create_sock_file() listen() accept() exec mysqld -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
