[systemd-devel] This patch adds SELinux support to systemd for socket creation.

Daniel J Walsh dwalsh at redhat.com
Fri Jul 23 03:30:54 PDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/22/2010 11:11 PM, Lennart Poettering wrote:
> On Thu, 22.07.10 17:01, Daniel J Walsh (dwalsh at redhat.com) wrote:
> 
>>         if ((r = socket_instantiate_service(s)) < 0)
>>                 return r;
>>
>>         log_debug("Socket unit %s will spawn service unit %s with
>> executable path %s.",
>>                   s->meta.id,
>>                   s->service->meta.id,
>>                   s->service->exec_command[SERVICE_EXEC_START]->path);
>>         */
>>
>>
>> Was I supposed to uncomment this code or was this already called earlier
>> in the code.
> 
> Yupp. It isn't necessary for the avahi/dbus cases but for
> one-instance-per-connection daemons in classic inetd style (which we
> want to use for sshd) this matters.
> 
> Thanks a lot for your patches. Very much appreciated! I have now merged
> it and uncommented that one line. I also added a call to
> setsockcreatecon(NULL) after the socket() call, I presume it was just
> forgotten?
> 
> I think util.[ch] might actually be a better place for
> selinux_getconfromexe() and selinux_getfileconfrompath(). I haven't
> moved them there for now, since that would mean dropping the "static",
> and since they have the selinux_ prefix they might then clash with other
> symbols from the libselinux library namespace? I presume that libselinux
> should be the sole owner of the selinux_xxx namespace?
> 

If only we could go back and make that so.  :^)

The selinux namespace seems to be all over the board.  I just added the
selinux_ so that you would recognize the calls as selinux calls.  You
can call them what ever you want.  And moving them to util.c is fine.

The setsocketcon(NULL) is fine, it is probably safer that way, so init.d
does not accidentally create a socket with the wrong label.

> Thanks,
> 
> Lennart
> 

I though I saw avc's caused because systemd creating some devices with
the wrong labels?  I searched for mknod but found no calls.  Does
systemd create any nodes?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxJb14ACgkQrlYvE4MpobPgYgCgn9dHeM2n21Mui0K+rdxkRpb/
sM8AnRlrr9utt8HwSeIwdTOUtReJFpor
=IvHL
-----END PGP SIGNATURE-----

More information about the systemd-devel mailing list