[systemd-devel] [PATCH] selinux: fix selinux check for transient units

Harald Hoyer harald at redhat.com
Thu Nov 14 09:50:53 PST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
> On 11/05/2013 12:22 PM, Lennart Poettering wrote:
> 
> Ok lets add a check that checks for start on a service labeled with the remote
> process label, then we can add rules like
> 
> allow systemd_logind_t self:service start
> 
> Or we can make it simpler and have the local end check against the init_t process.
> 
> allow systemd_logind_t init_t:service start;
> 
> Which is probably a better solution, if we have no way of differentiating the
> services.
> 
> Machineid usually runs as init_t now.
> 
> systemd-run runs as the label of the process that executes it,  Usually
> unconfined_t, and sysadm_t.
> 

has any solution been found for this?

seems like one is needed for https://bugzilla.redhat.com/show_bug.cgi?id=1008864
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJShQ19AAoJEANOs3ABTfJwqLQQAMCwlsVui5GxrAIgm1pnRYy0
1vBZRJombQ93cYr5RbXcQzo9raGwD9C/TOA6PXJNyIKoxCh5unCMGdUB1pwR6y57
o1Uql1V1wVXPKqlsDsRdiKi14Qdz6e2CBqNQ1Gn1wx1JPvKPVy52iIMWjnFUCTzM
FzKoX+CJlbR77tOgn24WxhP+Zll4QFqBAAwgptKBCyZf8lyHgsgTSgS7KDKAr/Jr
v9BumGS9210fEHSQBJdkoaoYnMZOHPpaDxSDjZ76AqBw0MOksQsiamCRr20gbWnQ
a8wvguQzTXhjKLeM0rX9x5hwrCI2Q4YL+VMsr5I1GPfR5GBIldmPhe8V4SYrJQY4
zDa+pHc1ubsuv/b4c9mHS/4Wl6IY8Nz6AVIAjvM0wR6cKJ+Ip09bEEeyIFWk7oRa
RxNnFLwnUW4yweGCq4HlVv8r+SLpXIFkW9HkG1tr1UswB/jEC13wXW8WLfemGhuk
XjMus/oMdQkd79wPvlfKF9JT4xTtx0u613kDEc/A6uEEoR4dwIeuLFf1Lss+zydg
okLbsc8pLEFzXj1JKMut3DMEuhZss+WhLslGFEPKPpsAbHMEf42gJjuvMFb9aRTW
V1qNW9adpMbqYC4MEzEV9SD4rwfDk1RQPW8iNEfm4XINcF1X2HK7+DGvCgVVeK8d
tSM5P0ZhmXwimbrU63EH
=IedG
-----END PGP SIGNATURE-----


More information about the systemd-devel mailing list