On 12/13/2016 03:21 PM, Tom Hughes wrote: > On 13/12/16 20:02, Przemek Klosowski wrote: >> On 12/13/2016 02:51 PM, Lennart Poettering wrote: >>> Yeah, this is really what it boils down to: the goal with the systemd >>> directives is to make things easy to grok and easy to change. I can >>> probably explain to most Linux admins who have administered a current >>> Fedora in 5min what ProtectSystem=strict and >>> ReadWritePaths=/var/lib/myservice does, and why it's a good thing. And >> >> One thing that SELinux does right is auditing---access violations are >> logged, so that there are no silent mysterious failures (well, mumble, >> mumble, maybe sometimes, you know what I mean). Also, SELinux allows >> debugging in the permissive mode that just logs without actually >> blocking access. What happens after systemd directives result in >> denials? > > There speaks the person that has never had something blocked by a > noaudit rule in the selinux policy... > > Tom > I am all for this feature. But realize debugging EPERM is often problematic when it comes to containerized environments. You have Regular DAC, UserNamespace DAC, SELinux, SECCOMP, Other LSM ... Which can all cause EPERM, diagnosing what caused them can often be difficult. A few years ago we attempted to work with the kernel on FriendlyEperm, but got rejected because it was racy. Often the only one that know why you got EPERM is the kernel and most ways it does not reveal why. https://fedoraproject.org/wiki/Features/FriendlyEPERM _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
