[systemd-devel] [PATCH] selinux: fix selinux check for transient units

Lennart Poettering lennart at poettering.net
Sat Nov 16 05:10:29 PST 2013


On Thu, 14.11.13 15:43, Daniel J Walsh (dwalsh at redhat.com) wrote:

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 11/14/2013 12:50 PM, Harald Hoyer wrote:
> > On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
> >> On 11/05/2013 12:22 PM, Lennart Poettering wrote:
> > 
> >> Ok lets add a check that checks for start on a service labeled with the
> >> remote process label, then we can add rules like
> > 
> >> allow systemd_logind_t self:service start
> > 
> >> Or we can make it simpler and have the local end check against the init_t
> >> process.
> > 
> >> allow systemd_logind_t init_t:service start;
> > 
> >> Which is probably a better solution, if we have no way of differentiating
> >> the services.
> > 
> >> Machineid usually runs as init_t now.
> > 
> >> systemd-run runs as the label of the process that executes it,  Usually 
> >> unconfined_t, and sysadm_t.
> > 
> > 
> > has any solution been found for this?
> > 
> > seems like one is needed for
> > https://bugzilla.redhat.com/show_bug.cgi?id=1008864
> > 
> 
> I guess the question I have is do you expect a patch from me?  Or are you guys
> working on it?  I would go with the checking based on process label.

I am hoping for a patch for this!

Thanks,

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list