Hello,
Thanks for the update. This way, the only processes I see running unconfined_t
are those that I expect to be unconfined: my user processes. I'm 1 reboot away
from verifying this on the exact machine I reported this for, but already can
confirm the fix for my 64-bit system at home.
-----Original message-----
> From:Laurent Bigonville <bi...@debian.org <mailto:bi...@debian.org> >
> Sent: Friday 31st January 2014 15:47
> To: Michael Biebl <bi...@debian.org <mailto:bi...@debian.org> >
> Cc: Bart-Jan Vrielink <bart...@vrielink.net <mailto:bart...@vrielink.net> >;
> 737...@bugs.debian.org <mailto:737...@bugs.debian.org>
> Subject: Re: [Pkg-systemd-maintainers] Bug#737006: systemd: When
> init=/lib/systemd/systemd, selinux no longer works
>
> Le Fri, 31 Jan 2014 06:56:49 +0100,
> Michael Biebl <bi...@debian.org <mailto:bi...@debian.org> > a écrit :
>
> > Am 29.01.2014 10:54, schrieb Bart-Jan Vrielink:
> > > Package: systemd
> > > Version: 204-6
> > > Severity: important
> > >
> > > Dear Maintainer,
> > >
> > > When I boot up under systemd, I get asked if I want to enter a
> > > security context when I login. It seems that all processes are
> > > running under the kernel_t label (except systemd-udevd, which runs
> > > under system_u:system_r:udev_t:s0-s0:c0.c1023)
> > >
> > > Because of this, the combination of SELinux and systemd is at the
> > > moment unusable. SELinux works fine under init=/sbin/init
>
> Hello Michael!
>
> > Sounds like a bug in the selinux policy package to me, not in systemd
> > itself. That said, I basically know nothing about selinux.
> >
> > bigon, can you comment on this bug report?
> > Let us know whether we should re-assing it to one of the
> > selinux-policy-* packages or if there is something which needs to be
> > addressed in systemd.
>
> Yes you are correct, this is a bug in the policy and it should be
> reassigned to it.
>
> We dropped almost all the debian specific patches that were applied to
> the package in the past because it was impossible for us to keep a such
> huge delta with upstream. Unfortunately upstream doesn't have ATM
> (people are working on it IIRC) systemd support (the patches were
> previously coming straight from Fedora).
>
> Bart-Jan: So what I will suggest you is the 2 following commands:
>
> semanage fcontext -a -t init_exec_t /lib/systemd/systemd
> restorecon -v /lib/systemd/systemd
>
> This will already help, but unfortunately not all the services will not
> run in the correct labels.
>
> Cheers,
>
> Laurent Bigonville
>
>
