[systemd-devel] [PATCH] socket: introduce SELinuxLabeledNet option
Lennart Poettering
lennart at poettering.net
Wed Aug 20 15:47:40 PDT 2014
On Wed, 20.08.14 19:08, Michal Sekletar (msekleta at redhat.com) wrote:
>
> On Wed, Aug 13, 2014 at 09:42:14PM +0200, Lennart Poettering wrote:
> <snip>
> > > @@ -1773,6 +1782,9 @@ static void socket_enter_running(Socket *s, int cfd) {
> > > cfd = -1;
> > > s->n_connections ++;
> > >
> > > + if (s->selinux_labeled_net)
> > > + service->exec_context.selinux_labeled_net = true;
> > > +
> >
> > This I don't like. We shouldn#t make permanent changes here... I'd
> > prefer if we could pass this somehow else, so that the service isn't
> > changed permanently...
>
> Well I don't like this either but I don't know about any other way how to pass
> that flag all the way down to exec_spawn. However, is this really an issue if
> the new option will work only for Accept=true services?
I think adding this as bool parameter to service_set_socket_fd() should
be OK. I think it would be a good idea to store this in a field in the
Service structure that is named very similar to "socket_fd", to mke
clear that this field belongs closely to this socket fd. Maybe
socket_fd_selinux_net_context or so...
And then, add a new param to exec_spawn() or so to pass it from the
service to execution code.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list