On 7 May 2011 23:43, Daniel Drake <[email protected]> wrote:
> On 7 May 2011 23:30, Kay Sievers <[email protected]> wrote:
>> You need capabilities in your kernel, or comment its use out, in the
>> service file.
>
> I think I have capabilities in my kernel: CONFIG_SECURITY=y which
> means security/capability.c gets compiled in. Were you thinking of
> something else?
>
> Commenting out CapabilityBoundingSet from systemd-kmsg-syslogd.service
> does fix the issue and allow boot to continue. Thanks!
>
> Is this a systemd bug (maybe it should ignore CapabilityBoundingSet
> lines when capabilities aren't available?) or do I need to decide
> between hacking systemd unit files or going with this requirement?
I looked further.
systemd.exec man page pointed me to capabilities(7) man page. That man
page says:
Removing capabilities from the bounding set is only supported if file
capabilities are compiled into the kernel (CONFIG_SECURITY_FILE_CAPA-
BILITIES).
That option doesn't exist in the kernel any more, it was removed by:
commit b3a222e52e4d4be77cc4520a57af1a4a0d8222d1
Author: Serge E. Hallyn <[email protected]>
Date: Mon Nov 23 16:21:30 2009 -0600
remove CONFIG_SECURITY_FILE_CAPABILITIES compile option
That commit made it be unconditionally on, in agreement with this part
of security/Makefile in modern kernels:
# always enable default capabilities
obj-y += commoncap.o
So, I don't think its possible to build a kernel without capabilities
support. The problem must be something else (but commenting out those
CapabilityBoundingSet lines does work around the problem). Any ideas /
next debugging steps?
I filed a bug for the /sys/kernel/security problem:
https://bugs.freedesktop.org/show_bug.cgi?id=36993
Thanks,
Daniel
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
