[systemd-devel] SELinux code in method_{disable, enable}_unit_files_generic() functions
Lennart Poettering
mzqohf at 0pointer.de
Thu Nov 6 15:52:35 PST 2014
On Tue, 04.11.14 09:17, Laurent Bigonville (bigon at debian.org) wrote:
> Hello,
>
> After looking a bit around the code, I've two questions about the
> SELinux code in method_{disable,enable}_unit_files_generic() functions.
>
> In method_enable_unit_files_generic(),
> mac_selinux_unit_access_check_strv() is used to check the SELinux
> permissions while in method_disable_unit_files_generic(),
> mac_selinux_access_check() is used.
The enablement commands only can work for unit files that are
installed. This is different for the disablement commands. You can use
them to remove symlinks to unit files that already have been
removed. For removing no unit files need to exist.
> Also, I'm a bit puzzled by the fact that you pass the "disable" verb to
> the method_enable_unit_files_generic() function in the case of
> masking/unmasking a service (and the opposite is also true with the
> disable function).
Well, the way selinux works is that there shouldn't be an arbitrary
number of verbs we use to protect these things in the policy. Hence
for the unit file management we try to break things down to just
"enable" and "disable". Now, masking/unmasking doesn't really map
nicely to that. Since masking a unit is a bit like a "disable on
steroids" we map it to "disable". But unmasking a unit is not really
enabling either, hence we also map it to "disable".
> Am I missing something here? Or should a bug be opened?
No bug, this is indeed weird, but it's how SELinux works I guess...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list