New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Active checks with dbus #566
Conversation
@tparchambault see how these changes play with your testing |
@tparchambault eh hold off, there is another item to address |
Since you committed some of your work 12 hrs ago and I put some observations into that other PR around that same time, did you see the following wrt timing, and did you intend for this change to also address it. I believe it will. |
Yep, this PR will address the timing issues too. |
@tparchambault OK, I just tested the latest on rhel, See what you see with it. |
Clean FC34 with only emacs, fapolicyd, and the generated fapolicy-analyzer rpm associated with this PR. Things look good. Ordering of fapolicyd shutdown/start reported in the journal is correct, deployed changes to the ancillary dbase were good, deployment timeout rollback also good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm assuming the pyo3 daemon.rs deploy() throws exceptions lower down the stack on errors, i.e. from the calls it invokes and their children? I only saw this PyRuntimeError::new_err("Daemon unresponsive")
in fn wait_for_daemon(target_state: State)
I'll dig around but for the sake of merging, if the answer is yes
, we are good to go.
This was an indeed an issue. When fapolicyd was in a Take another look and see if it all still functions as expected. |
I am going to leave the stderr prints in there for the near term. |
Functionally, on a clean FC34 rpm install, no issues observed. |
Eliminate the calls to systemctl for service status checks, using dbus instead. This removes one potential pinch point where deployed rules can limit the call to systemctl. A side-effect of this is that the monitoring function now works even in the case of fully locked down system (ie. only the deny+any+all+all rule).
This also aligns both stages of deployment, deployment and rollback. Those stages used to be handled differently, where initial deployment only was a pipe write to refresh trust, while rollback deployment was a full daemon reload. Then the pipe write went away to align rule and trust writing, but there were some straggling issues that were left behind. These changes align the backends for both modes and resolve issues where fixes were present in one mode but not the other.
Closes #565