[systemd-devel] [PATCH] selinux: fix selinux check for transient units
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 5 14:12:49 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/05/2013 12:22 PM, Lennart Poettering wrote:
Ok lets add a check that checks for start on a service labeled with the remote
process label, then we can add rules like
allow systemd_logind_t self:service start
Or we can make it simpler and have the local end check against the init_t process.
allow systemd_logind_t init_t:service start;
Which is probably a better solution, if we have no way of differentiating the
services.
Machineid usually runs as init_t now.
systemd-run runs as the label of the process that executes it, Usually
unconfined_t, and sysadm_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJ5bWEACgkQrlYvE4MpobNx/QCgoiFsPPvYYPMTIf1FhZTWaKpI
d9cAn2FFrt9YiivC3yBTktHSQmpnqQS8
=B1I8
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list