On Di, 14.07.20 11:02, Ulrich Windl (Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx) wrote: > >>> Lennart Poettering <mzerqung@xxxxxxxxxxx> schrieb am 14.07.2020 um 09:50 > in > Nachricht <20200714075029.GC180968@gardel-login>: > > On Di, 14.07.20 09:10, Dac Override (dac.override@xxxxxxxxx) wrote: > > > >> selinux-autorelabel needs to be able to resolve users. Currently users > >> managed with systemd-serdbd are not resolvable in the > >> selinux-autorelabel.target.. > >> > >> Should I be able to pull systemd.userdvd into the > >> selinux-autorelabel.target? Is there a better way to ensure that homed > >> users are resolvable when selinux-autorelabel.service runs? > > > > systemd-homed runs after /home, and the selinux relabel stuff runs > > much earlier, no? > > > > How does this work for LDAP/NIS/… users? They typically are late boot > > stuff too? > > Yes, it is a problem even at different places: You cannot use an LDAP user for > any tmpfiles, even if the directory is used only after LDAP us up. We explicitly document that system users/groups cannot be served by LDAP, and if you do that you use systemd outside of its documented intended work environment: https://systemd.io/UIDS-GIDS See last paragraph in the "Special Distribution UID ranges" section. systemd-tmpfiles is a tool for creating system files/dirs, and runs very early. We explicitly don't support it being used for anything else, i.e. for creating files for regular users. > Also the > password utilities refuse to add the same user locally that exists in LDAP. > Typically I restart the tmpfiles unit again manually and then things are OK. > (In this regard NFS "bg" mounts are much smarter than systemd's tmpfiles > unit.) Don#t use tmpfiles for regular user stuff, do not use it for LDAP users. It's not for that. It's a usecase we explicitly do not cover. Sorry. Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Antw: [EXT] Re: advice on how to address selinux-autorelabel issue with userdbd
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Antw: [EXT] Re: advice on how to address selinux-autorelabel issue with userdbd
- From: Lennart Poettering <mzerqung@xxxxxxxxxxx>
- Date: Tue, 14 Jul 2020 11:35:54 +0200
- Cc: "systemd-devel@xxxxxxxxxxxxxxxxxxxxx" <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>, dac.override@xxxxxxxxx
- In-reply-to: <5F0D748E020000A10003A044@gwsmtp.uni-regensburg.de>
- References: <CAJVWAV1Jhg=RZdCQs3C_m4WyozfRu75avC0PU8Q1X431EioRqg@mail.gmail.com> <20200714075029.GC180968@gardel-login> <5F0D748E020000A10003A044@gwsmtp.uni-regensburg.de>
- Follow-Ups:
- References:
- advice on how to address selinux-autorelabel issue with userdbd
- From: Dac Override
- Re: advice on how to address selinux-autorelabel issue with userdbd
- From: Lennart Poettering
- Antw: [EXT] Re: advice on how to address selinux-autorelabel issue with userdbd
- From: Ulrich Windl
- advice on how to address selinux-autorelabel issue with userdbd
- Prev by Date: Antw: [EXT] Re: advice on how to address selinux-autorelabel issue with userdbd
- Next by Date: Antw: Re: Antw: [EXT] Re: advice on how to address selinux-autorelabel issue with userdbd
- Previous by thread: Antw: [EXT] Re: advice on how to address selinux-autorelabel issue with userdbd
- Next by thread: Antw: Re: Antw: [EXT] Re: advice on how to address selinux-autorelabel issue with userdbd
- Index(es):
 |