[systemd-devel] [PATCH] selinux: fix selinux check for transient units
Lennart Poettering
lennart at poettering.net
Tue Nov 5 09:22:39 PST 2013
On Mon, 04.11.13 15:05, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/04/2013 02:05 PM, Lennart Poettering wrote:
> > On Mon, 04.11.13 17:06, Lennart Poettering (lennart at poettering.net) wrote:
> >
> >> On Thu, 31.10.13 15:51, Vaclav Pavlin (vpavlin at redhat.com) wrote:
> >>
> >>> From: Václav Pavlín <vpavlin at redhat.com>
> >>
> >> Sorry, I don't understand what this patch is doing. Please explain in a
> >> commit message!
> >
> > Hmm, so, here's another idea. The transient units are created by a client
> > process. We could easily determine the label of that client process.
> > Wouldn't it a better approach to calculate the label of the transient units
> > somehow from the client process' label? This way wouldn't need any
> > additional systemd-specific infrastructure in libselinux.
> >
> > Dan, could that work?
> >
> > Lennart
> >
> I suppose it would. The only label we have the the clients is the process label.
>
> What process types create these runtime objects and what do they request to do
> with them?
Currently it's almost exclusively "systemd-machined", "systemd-logind"
and "systemd-run" which create transient units, for creating scops to
run VM/containers in, sessions in and arbitrary user commands in.
> class service
> {
> start
> stop
> status
> reload
> kill
> load
> enable
> disable
> }
>
> Do we have to add a rule like
>
> allow sysadm_t networkmanager_t:service start;
>
> Were networkmanager_t is a process type?
Well, logind, machined, systemd-run would need the permission to start a
transient service, that'd be all really...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list