[systemd-devel] [PATCH] selinux: fix selinux check for transient units
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 18 13:19:20 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/16/2013 08:10 AM, Lennart Poettering wrote:
> On Thu, 14.11.13 15:43, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 11/14/2013 12:50 PM, Harald Hoyer wrote:
>>> On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
>>>> On 11/05/2013 12:22 PM, Lennart Poettering wrote:
>>>
>>>> Ok lets add a check that checks for start on a service labeled with
>>>> the remote process label, then we can add rules like
>>>
>>>> allow systemd_logind_t self:service start
>>>
>>>> Or we can make it simpler and have the local end check against the
>>>> init_t process.
>>>
>>>> allow systemd_logind_t init_t:service start;
>>>
>>>> Which is probably a better solution, if we have no way of
>>>> differentiating the services.
>>>
>>>> Machineid usually runs as init_t now.
>>>
>>>> systemd-run runs as the label of the process that executes it,
>>>> Usually unconfined_t, and sysadm_t.
>>>
>>>
>>> has any solution been found for this?
>>>
>>> seems like one is needed for
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1008864
>>>
>>
>> I guess the question I have is do you expect a patch from me? Or are you
>> guys working on it? I would go with the checking based on process
>> label.
>
> I am hoping for a patch for this!
>
> Thanks,
>
> Lennart
>
This patch adds a new call for SELINUX_SNAPSHOT_ACCESS_CHECK, because I
believe this error will happen when a snapshot is created. Also now pass in
"system"
when doing a system check, if it is doing a service check and does not pass in
a unit file we will default the target to the label that systemd is running with.
How does this patch look?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKKhFgACgkQrlYvE4MpobNd1ACbBrwtl5T/CEhCttI9QZ3IZbes
k8UAoODr9J6D0CoyZfpdpvILU7QpxOD2
=0zYK
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-SELinux-check-for-snapshot-creation.patch
Type: text/x-patch
Size: 3755 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131118/db13cd9c/attachment.bin>
More information about the systemd-devel
mailing list