Jamie Nguyen
jamie****@tomoy*****
Fri Jun 17 22:45:28 JST 2011
TOMOYO
ForkTetsuo Handa wrote:
> Jamie Nguyen wrote:
>> If a service has "Type=forking", then $MAINPID can either be
>> determined from a PID file provided by the program, or systemd does
>> some kind of magic to guess what $MAINPID is. The default is to guess.
>> I'm running revision 5131 and it is working fine.
>
> OK.
>
>> I have restarted the service several times and it appears that systemd
>> is able to guess $MAINPID correctly every time.
>
> I used SIGHUP as a trigger for reloading the configuration file rather than
> re-executing the program. It does not cause fork() nor execve(). So, systemd
> will not fail to guess.
Great, thanks for implementing!
>> On an unrelated note, I think I've spotted a bug. Creating a second
>> namespace works fine, but creating a third namespace seems to cause
>> some issue with profiles. The policy within "/etc/ccs/policy/"
>> directory is correct, but "/etc/ccs/profile.conf" is not updated to
>> reflect the third namespace.
>
> /etc/ccs/{domain_policy,exception_policy,profile,manager}.conf are symlinks to
> policy/current/{domain_policy,exception_policy,profile,manager}.conf .
> I think ccs-editpolicy nor ccs-savepolicy touches /etc/ccs/profile.conf .
>
> /etc/ccs/profile.conf has changed from a symlink to a regular file by some
> reason?
I've recreated the symlink and it works as expected. I don't remember
deleting the symlink or overwriting the file manually, but it is very
likely to have been my error :D Sorry for the false alarm.
> Tetsuo Handa wrote:
>> > 2) The profile editor screen doesn't work as expected when doing
>> > "ccs-editpolicy /etc/ccs". Pressing "s" to edit for example the
>> > "3-PREFERENCE" line to have "enforcing_penalty=5" results in two lines
>> > that start with "3-PREFERENCE", instead of replacing the line that is
>> > being edited.
>>
>> That is due to lazy implementation in order to absorb differences in the parser
>> used by the TOMOYO 1.8.x kernels. Keywords may be added within TOMOYO 1.8.x but
>> the userspace tools should not ignore the line even if it does not know how to
>> parse the line. Thus, offline mode is almost doing only "echo $line >> $file"
>> for addition and "grep -vF $line $file" for deletion because invalid lines will
>> be ignored and old values will be overwritten when parsed by the kernel.
>>
>> But in order to save lines when embedding policy into the kernel, offline mode
>> should start using parsers which the kernel uses.
>
> Done in revision 5135.
Great, thanks.