When we do an async pk request, let's store which action/details we used
for the original request, and when we are called for the second time,
let's compare. If the action/details changed, let's not allow the access
to go through.
We have that in tmpfiles.d and it is makes looking up the syntax
very easy.
While at it, add an example for "r" and use the underscrore as prefix
as described in the text.
Relevant when testing in permissive mode, where the function does not return a failure to the client.
This helps to configure a system in permissive mode, without getting surprising failures when switching to enforced mode.
`log_enforcing()` and `log_enforcing_errno()` are only used for important messages, which describe failures in enforced mode.
They are guarded either by `!mac_selinux_use()` or `!label_hnd` checks, where the latter is itself guarded by the former.
Only SELinux enabled systems print these logs.
This helps to configure a system in permissive mode, without getting surprising failures when switching to enforced mode.
This never made into a release, so we can change the name with impunity.
Suggested by Davide Pesavento.
I opted to add the "ing" ending. "Fair queuing" is the name of the general
concept and algorithm, and "Fair queue" is mostly used for the implementation
name.
In particular, let's just say "is" and "must" instead of "may be" and
"should". The weaker forms are obviously correct, but the text is easier to
understand if non-conditional forms are used.
Fixes systemd build in Fedora rawhide.
The old ldsdir option is not useful, because both the directory and the
file name changed. Let's remove the option and try to autodetect the file
name. If this turns out to be not enough, a new option to simply specify
the full path to the file can be added.
F31:
efi arch: x86_64
EFI machine type: x64
EFI CC ccache cc
EFI lds: /usr/lib64/gnuefi/elf_x64_efi.lds
EFI crt0: /usr/lib64/gnuefi/crt0-efi-x64.o
EFI include directory: /usr/include/efi
F32:
efi arch: x86_64
EFI machine type: x64
EFI CC ccache cc
EFI lds: /usr/lib/gnuefi/x64/efi.lds
EFI crt0: /usr/lib/gnuefi/x64/crt0.o
EFI include directory: /usr/include/efi
Two releases ago we started warning about this, and I think it is now to turn
this into a hard error. People get bitten by this every once in a while, and
there doesn't see to be any legitimate use case where the same .link or
.network files should be applied to _all_ interfaces, since in particular that
configuration would apply both to lo and any other interfaces. And if for
whatever reason that is actually desired, OriginalName=* or Name=* can be
easily added to silence the warning and achieve the effect.
(The case described in #12098 is particularly nasty: 'echo -n >foo.network'
creates a mask file, 'echo >foo.network' creates a "match all" file.)
Fixes#717, #12098 for realz now.
Officially we default to a "enable *", even though pretty much everybody
overrides this with "disable *". We have a bunch of targets and services which
should not be enabled by default. In case the default policy is not overriden,
our passive units would be enabled by presets, which is generally not useful at
all. So let's explicitly mark them as disabled.
Note that this effectively changes very little. E.g. on Fedora, all the units
listed in this patch were "disabled" already.
Fixes#14648.
Fixes#6282.
This solution is a bit busy, but we close the race without setting *.all.*, so
it is still possible to set a different setting for particular interfaces.
Setting just "default" is not very useful because any interfaces present before
systemd-sysctl is invoked are not affected. Setting "all" is too harsh, because
the kernel takes the stronger of the device-specific setting and the "all" value,
so effectively having a weaker setting for specific interfaces is not possible.
This is intended for net.*.conf.*.foo files. Setting just "default" is not very
useful because any interfaces present before systemd-sysctl is invoked are not
affected. Setting "all" is too harsh, because the kernel takes the stronger of
the device-specific setting and the "all" value, so effectively having a weaker
setting for specific interfaces is not possible. Let's add a way in which can
set "default" first and then all the others without "all".
When unit is reloaded, and the reloaded unit has bad-setting, then
unit_patch_contexts() is not called and exec_context::user and group
may not be configured.
A minimum reproducer for the case is:
- step 1.
$ sudo systemctl edit --full hoge.service
[Service]
oneshot
ExecStart=sleep 1h
- step 2.
$ sudo systemctl start hoge.service
- step 3.
$ sudo systemctl edit --full hoge.service
[Service]
Type=oneshot
ExecStart=@bindir@/sleep 1h
DynamicUser=yes
Then pid1 crashed.
Fixes#14733.
This extends the "uid:gid" syntax for "u" lines so that a group
name can be given instead of a GID. This requires that the group
is either queued for creation by sysusers, or it is already defined
on the system.
Closes#14340
Having /etc/securetty in test containers prevents root from logging into
them:
```
Jan 31 10:15:11 systemd-testsuite login[69]: pam_securetty(login:auth): access denied: tty 'pts/0' is not secure !
Jan 31 10:15:11 systemd-testsuite login[69]: FAILED LOGIN 1 FROM pts/0 FOR root, Authentication failure
```
Lennart Poettering