[systemd-devel] [PATCH 1/3] Add SELinuxContext configuration item

Daniel J Walsh dwalsh at redhat.com
Tue Feb 11 07:37:36 PST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/07/2014 08:22 AM, Michael Scherer wrote:
> Le jeudi 06 février 2014 à 12:21 -0800, David Timothy Strauss a écrit :
>> In order to maximize consistency with newly committed options in 
>> systemd-nspawn, would it make sense to allow independent configuration of
>> the process and file labels instead?
> 
> 
> The file label are decided by selinux policy based on the path and/or 
> process domain, from what I seen.
> 
> In the case of systemd-nspawn, it is done by using a specific option of 
> mount, and only for tmpfs/devpts.
> 
> So I am not sure if this can be done, and i fail to see a usecase for that
> ( except having container described in .service, which could be nice but
> maybe too much )
> 
Yes the goal with the file system labels is for tmpfs file systems
created/mounted within the systemd-nspawn.

If you are using a chrooted OS, then its labeling should be done outside the
command.

I wanted to also allow this to be generic so other labeling tools like SMACK
could also be used.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlL6Q8AACgkQrlYvE4MpobNf8ACcC+B/5yvbOnOPiRoDQYiokGT+
xe0AmwR7qdFnJ/aqzTMfL0lcPYCUGYs2
=Pk3g
-----END PGP SIGNATURE-----


More information about the systemd-devel mailing list