[systemd-devel] [PATCH] selinux: fix selinux check for transient units
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 14 12:43:01 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/14/2013 12:50 PM, Harald Hoyer wrote:
> On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
>> On 11/05/2013 12:22 PM, Lennart Poettering wrote:
>
>> Ok lets add a check that checks for start on a service labeled with the
>> remote process label, then we can add rules like
>
>> allow systemd_logind_t self:service start
>
>> Or we can make it simpler and have the local end check against the init_t
>> process.
>
>> allow systemd_logind_t init_t:service start;
>
>> Which is probably a better solution, if we have no way of differentiating
>> the services.
>
>> Machineid usually runs as init_t now.
>
>> systemd-run runs as the label of the process that executes it, Usually
>> unconfined_t, and sysadm_t.
>
>
> has any solution been found for this?
>
> seems like one is needed for
> https://bugzilla.redhat.com/show_bug.cgi?id=1008864
>
I guess the question I have is do you expect a patch from me? Or are you guys
working on it? I would go with the checking based on process label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKFNdUACgkQrlYvE4MpobNuXACg1eKUvMGKMv5zuwKHDvj44K+F
L6gAn3sQtD0QvGUUmJWRGRSolZTdOqN0
=pYrx
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list