[systemd-devel] This patch adds SELinux support to systemd for socket creation.

Daniel J Walsh dwalsh at redhat.com
Thu Jul 22 14:01:25 PDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems to work on my machine.

I have a question on this comment.

        /* FIXME SELINUX: Somewhere here we must set the the SELinux
           context for the created sockets and FIFOs. To figure out
           the executable name for this, use
           socket_instantiate_service() and then access the executable
           path name via
           s->service->exec_command[SERVICE_EXEC_START]->path. Example:

        if ((r = socket_instantiate_service(s)) < 0)
                return r;

        log_debug("Socket unit %s will spawn service unit %s with
executable path %s.",
                  s->meta.id,
                  s->service->meta.id,
                  s->service->exec_command[SERVICE_EXEC_START]->path);
        */


Was I supposed to uncomment this code or was this already called earlier
in the code.

# getfilecon /proc/1/fd/* | grep dbus
/proc/1/fd/20	system_u:system_r:system_dbusd_t:s0

# getfilecon /proc/1/fd/* | grep avahi
/proc/1/fd/21	system_u:system_r:avahi_t:s0

And the AVC's seem to have dissapeared when a confined app trys to
connect to dbus or avahi.

If you run with this patch and selinux-policy-3.8.8-3.fc14.noarch
You should be able to boot in enforcing mode.

If this patch is accepted, I will work on a patch to make sure

        mkdir_parents(path, directory_mode);

Labels directories correctly.  If this works then we can begin dicussing
getting rid of /var/run/* on boot.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxIsaUACgkQrlYvE4MpobNFCwCfTCGapMOBX//fh9/dSVbOW8kF
gbQAn2YK3piZiY8bJ4Pw8pCFEh9cr4as
=7BAT
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: systemd-selinux.patch
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20100722/6e32a0ad/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd-selinux.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20100722/6e32a0ad/attachment.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd-selinux.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20100722/6e32a0ad/attachment-0001.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: systemd-selinux.patch.sig.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20100722/6e32a0ad/attachment-0002.pgp>

More information about the systemd-devel mailing list