diff options
| author | INSUN PYO <insun.pyo@samsung.com> | 2020-09-17 13:58:47 +0900 |
|---|---|---|
| committer | INSUN PYO <insun.pyo@samsung.com> | 2020-09-18 16:16:21 +0900 |
| commit | 51323678604154b8afd7c62fdf39b996d0483bd3 (patch) | |
| tree | 4b81bf2bda7547f2f5be9f78a1f9d180d6e8bb53 | |
| parent | eda79035e81a53ad163d345491a503c6d46360f3 (diff) | |
| download | tlm-51323678604154b8afd7c62fdf39b996d0483bd3.tar.gz tlm-51323678604154b8afd7c62fdf39b996d0483bd3.tar.bz2 tlm-51323678604154b8afd7c62fdf39b996d0483bd3.zip | |
Change execute label to System to remove smack errorstizen_6.5.m2_releasetizen_6.0.m2_releasesubmit/tizen_6.5/20211028.162501submit/tizen_6.0_hotfix/20201103.114805submit/tizen_6.0_hotfix/20201102.192505submit/tizen_6.0/20201029.205105submit/tizen/20200918.074817accepted/tizen/unified/20200921.042438accepted/tizen/6.5/unified/20211028.120236accepted/tizen/6.0/unified/hotfix/20201103.001531accepted/tizen/6.0/unified/20201030.113554tizen_6.0_hotfixtizen_6.0accepted/tizen_6.0_unified_hotfixaccepted/tizen_6.0_unified
Jan 01 09:08:55 localhost audit[2765]: AVC lsm=SMACK fn=smack_key_permission action=denied subject="User" object="System::Privileged" requested=r pid=2765 comm="tlm-sessiond" key_serial=841328352 key_desc="_ses"
Jan 01 09:08:55 localhost audit[2765]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=2765 comm="tlm-sessiond" name="environ" dev="proc" ino=23193
Jan 01 09:08:55 localhost audit[2765]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=2765 comm="tlm-sessiond" name="sched" dev="proc" ino=23194
Jan 01 09:08:55 localhost audit[2765]: AVC lsm=SMACK fn=smack_key_permission action=denied subject="User" object="System::Privileged" requested=r pid=2765 comm="tlm-sessiond" key_serial=185875009 key_desc="_uid.5001"
Jan 01 09:08:55 localhost audit[2765]: AVC lsm=SMACK fn=smack_file_open action=denied subject="User" object="System::Privileged" requested=r pid=2765 comm="tlm-sessiond" path="/opt/var/log/wtmp" dev="mmcblk0p3" ino=822
A tlm-sessiond only create the shell process in /etc/passwd directly, and this shell process does nothing.
So, changing tlm's smack from "User" to "System" does not change user systemd and its associated processes.
===========================================================================================================================
sh-3.2# pstree -p | grep tlm
|-tlm(551)-+-tlm-sessiond(567)-+-bash(622)
| | |-{tlm-sessiond}(569)
| | `-{tlm-sessiond}(572)
| |-{tlm}(565)
| `-{tlm}(566)
sh-3.2# ps -auxZ | grep tlm
User root 551 0.0 0.2 25912 2672 ? Ssl 11:23 0:00 /usr/bin/tlm
User root 567 0.0 0.3 26848 3104 ? Sl 11:23 0:00 /usr/bin/tlm-sessiond
sh-3.2# ps -auxZ | grep 622
User owner 622 0.0 0.1 4628 1068 tty7 Ss+ 11:23 0:00 /bin/bash <== shell process
Change-Id: I7376be55ea57ab187a79ab99721e05e1d8ea38a1
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
| -rw-r--r-- | data/tlm.service | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/data/tlm.service b/data/tlm.service index 9001d33..94c5fe0 100644 --- a/data/tlm.service +++ b/data/tlm.service @@ -4,7 +4,7 @@ After=systemd-user-sessions.service systemd-logind.service Requires=dbus.socket [Service] -SmackProcessLabel=User +SmackProcessLabel=System ExecStart=/usr/bin/tlm CapabilityBoundingSet=~CAP_MAC_ADMIN CapabilityBoundingSet=~CAP_MAC_OVERRIDE |