[systemd-devel] [PATCH] selinux: fix selinux check for transient units
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 4 12:05:31 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/04/2013 02:05 PM, Lennart Poettering wrote:
> On Mon, 04.11.13 17:06, Lennart Poettering (lennart at poettering.net) wrote:
>
>> On Thu, 31.10.13 15:51, Vaclav Pavlin (vpavlin at redhat.com) wrote:
>>
>>> From: Václav Pavlín <vpavlin at redhat.com>
>>
>> Sorry, I don't understand what this patch is doing. Please explain in a
>> commit message!
>
> Hmm, so, here's another idea. The transient units are created by a client
> process. We could easily determine the label of that client process.
> Wouldn't it a better approach to calculate the label of the transient units
> somehow from the client process' label? This way wouldn't need any
> additional systemd-specific infrastructure in libselinux.
>
> Dan, could that work?
>
> Lennart
>
I suppose it would. The only label we have the the clients is the process label.
What process types create these runtime objects and what do they request to do
with them?
Currently systemd asks for permissions on system class and service class, where
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
halt
reboot
status
undefined
enable
disable
reload
}
class service
{
start
stop
status
reload
kill
load
enable
disable
}
Do we have to add a rule like
allow sysadm_t networkmanager_t:service start;
Were networkmanager_t is a process type?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJ3/gsACgkQrlYvE4MpobPWbQCfWElx/pR6cOjQKM1Ad0cE/eU1
cAcAoJ1k49KbB143/NJH/DEfl0aRLhnn
=eao5
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list