[systemd-devel] Latest SELinux Access Patch.

Lennart Poettering lennart at poettering.net
Mon Sep 17 17:26:36 PDT 2012

On Thu, 06.09.12 16:23, Daniel J Walsh (dwalsh at redhat.com) wrote:


sory for taking so much time for a review!

> This patch adds the ability to look at the calling process that is trying to
> do dbus calls into systemd, then it checks with the SELinux policy to see if
> the calling process is allowed to do the activity.
> The basic idea is we want to allow NetworkManager_t to be able to start and
> stop ntpd.service, but not necessarly mysqld.service.
> Similarly we want to allow a root admin webadm_t that can only manage the
> apache environment.  systemctl enable httpd.service, systemctl disable
> iptables.service bad.
> To make this code cleaner, we really need to refactor the dbus-manager.c code.
>  This has just become a huge if-then-else blob, which makes doing the correct
> check difficult.

This looked pretty good to me, and so I have merged this now. I made a
couple of changes afterwards:

- I turned the method table into a null char separated string. THis
  should make things a bit more readable, and get rid of a lot of
  relocations. I do have suspicion though that many of entries that are
  currently in there are not right, they should be reviewed again.

- The audit data is now retrieved via the library calls we already had
  in util.c for this.

- We should prefer the source path over the fragment path for a unit
  when detecting the label. The fragment path might be auto-generated,
  while the source path is the source of the auto-generation. I have
  changed the sources accordingly.

I'd like to see one more thing changed: 

- Share more code wiht the rest of the SELinux bits in systemd, for
example the caching of whether selinux is enabled or not.

Otherwise looks pretty OK to me now. Please have another look on what I
merged, in case I broke somethng with my changes.


Lennart Poettering - Red Hat, Inc.

More information about the systemd-devel mailing list