[systemd-devel] [PATCH 1/3] Add SELinuxContext configuration item
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 11 07:37:36 PST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/07/2014 08:22 AM, Michael Scherer wrote:
> Le jeudi 06 février 2014 à 12:21 -0800, David Timothy Strauss a écrit :
>> In order to maximize consistency with newly committed options in
>> systemd-nspawn, would it make sense to allow independent configuration of
>> the process and file labels instead?
>
>
> The file label are decided by selinux policy based on the path and/or
> process domain, from what I seen.
>
> In the case of systemd-nspawn, it is done by using a specific option of
> mount, and only for tmpfs/devpts.
>
> So I am not sure if this can be done, and i fail to see a usecase for that
> ( except having container described in .service, which could be nice but
> maybe too much )
>
Yes the goal with the file system labels is for tmpfs file systems
created/mounted within the systemd-nspawn.
If you are using a chrooted OS, then its labeling should be done outside the
command.
I wanted to also allow this to be generic so other labeling tools like SMACK
could also be used.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlL6Q8AACgkQrlYvE4MpobNf8ACcC+B/5yvbOnOPiRoDQYiokGT+
xe0AmwR7qdFnJ/aqzTMfL0lcPYCUGYs2
=Pk3g
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list