[systemd-devel] [PATCH] selinux: fix selinux check for transient units
Lennart Poettering
lennart at poettering.net
Sat Nov 16 05:10:29 PST 2013
On Thu, 14.11.13 15:43, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/14/2013 12:50 PM, Harald Hoyer wrote:
> > On 11/05/2013 11:12 PM, Daniel J Walsh wrote:
> >> On 11/05/2013 12:22 PM, Lennart Poettering wrote:
> >
> >> Ok lets add a check that checks for start on a service labeled with the
> >> remote process label, then we can add rules like
> >
> >> allow systemd_logind_t self:service start
> >
> >> Or we can make it simpler and have the local end check against the init_t
> >> process.
> >
> >> allow systemd_logind_t init_t:service start;
> >
> >> Which is probably a better solution, if we have no way of differentiating
> >> the services.
> >
> >> Machineid usually runs as init_t now.
> >
> >> systemd-run runs as the label of the process that executes it, Usually
> >> unconfined_t, and sysadm_t.
> >
> >
> > has any solution been found for this?
> >
> > seems like one is needed for
> > https://bugzilla.redhat.com/show_bug.cgi?id=1008864
> >
>
> I guess the question I have is do you expect a patch from me? Or are you guys
> working on it? I would go with the checking based on process label.
I am hoping for a patch for this!
Thanks,
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list