Comment 42 for bug 1890858
Revision history for this message
| Christian Ehrhardt (paelzer) wrote | #42 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
:-) NP Seth - Yes the "local" was only for manual workarounds in this bug.
And the proposed fix is in the right place for the package.
The abstractions, or generally other places for that rule are interesting.
Because as I stated above while I now finally can recreate it in Focal it is gone in later versions. I was unable to find a clear sssd/libvirt change that fixed this - but chances are one of those abstractions already got a rule that now allows it.
#include <abstractions/base>
#include <abstractions/dbus>
Neither of them leads to such a rule in >=Groovy.
It really is systemd that changed.
The code was indeed present in 245 (Focal) but not later.
That is the code on v245 (Focal):
https:/
The whole functionality was added in v245 via
https:/
and removed in v246 via
https:/
That explains why we only see this in Focal - it is the only version containing that mechanism.
And I think it is fair to say that the switch of the underlying tech in systemd isn't backportable for an SRU (compared to the rule we propose).
It now also makes sense why e.g. the non local sssd user trigger this. When calling the service through the socket of libvirt it will try to check who has called and that is exactly when the nss services will all be probed. With system 245 this also implies this generated socket to be bound.
I'll have a look at further restricting the rule ...