[systemd-devel] [PATCH] Add SELinuxContext configuration item
Michael Scherer
misc at zarb.org
Tue Dec 31 03:33:25 PST 2013
Le lundi 30 décembre 2013 à 03:14 -0600, David Timothy Strauss a écrit :
> On Sat, Dec 28, 2013 at 10:47 AM, Michael Scherer <misc at zarb.org> wrote:
> > So using templated units, we could do for example :
> > SELinuxContext=staff_u:staff_r:%s_t:s0-s0:c0.c1023
>
> In the spirit of making isolation easy, it would be neat to have a
> built-in convention for selinux isolation in systemd where the full
> service/unit name has a default context name, constructed much like
> the quoted example, that the admin or packager can use simply by
> turning isolation on (SELinux=true).
>
> We would love to use SELinuxContext= or SELinux= for our needs at Pantheon.
Using SELinux=true is a bit weird when it come to the naming, because
SELinux=false wouldn't disable selinux, it would just let the current
policy do the transition, that's a bit misleading.
I am not sure of the value of having 2 configuration file doing the same
thing. What about
SELinuxContext=auto , and so replace auto by some default configuration
in that case ?
--
Michael Scherer
More information about the systemd-devel
mailing list