[systemd-devel] [PATCH] socket: introduce SELinuxLabeledNet option

Michal Sekletar msekleta at redhat.com
Wed Aug 20 10:08:01 PDT 2014


On Wed, Aug 13, 2014 at 09:42:14PM +0200, Lennart Poettering wrote:
<snip>
> > @@ -1773,6 +1782,9 @@ static void socket_enter_running(Socket *s, int cfd) {
> >                  cfd = -1;
> >                  s->n_connections ++;
> >  
> > +                if (s->selinux_labeled_net)
> > +                        service->exec_context.selinux_labeled_net = true;
> > +
> 
> This I don't like. We shouldn#t make permanent changes here... I'd
> prefer if we could pass this somehow else, so that the service isn't
> changed permanently...

Well I don't like this either but I don't know about any other way how to pass
that flag all the way down to exec_spawn. However, is this really an issue if
the new option will work only for Accept=true services?

> 
> I must say I feel a bit uneasy about the naming of SELinuxContext= and
> SELinuxLabeledNet=... One uses the term "context", the other one
> "label". afaiu that's actually the same thing, no? If it is, can we use
> the same terminology here? (which would mean sticking to "context" since
> that's what we already are using...)
> 
> Lennart
> 
> -- 
> Lennart Poettering, Red Hat


More information about the systemd-devel mailing list