[systemd-devel] [PATCH] timesyncd: tighten unit file
Cameron Norman
camerontnorman at gmail.com
Tue Jan 27 14:58:10 PST 2015
On Tue, Jan 27, 2015 at 1:16 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Tue, 27.01.15 19:47, Topi Miettinen (toiwoton at gmail.com) wrote:
>
>> I'm not sure. Shouldn't we then ship a SELinux policy file then? Would
>> you be interested in AppArmor profile for timesyncd, I have one? Also,
>> if a distro uses weird SELinux policies or setuid helpers at every
>> possible opportunity, shouldn't they have some responsibility of fixing
>> their setup?
>
> Well, SELinux policy is managed in a central selinux policy database
> that is shipped in one big RPM. My selinux-fu is not good enough to
> maintain the policy file in systemd, and i am not sure this even is
> generic enough to be able to ship the same selinux policy that works
> across all distros that do selinux.
>
> If Apparmor policies are standardized and stand-alone enough, and
> there's a clear way to install them, and you are willing to look after
> it, then yes, I'd merge a patch that adds apparmor profiles to systemd
> upstream.
A good idea would be to set the apparmor profile(s) to warn-only mode
for some period of time, and then let distros patch (this would be a
one liner) that to be in enforce mode if they want to test it out.
One possible issue is that AppArmor profiles are installed in /etc.
Will that be a problem WRT the whole stateless system initiative, or
is it an acceptable exception to the "only comments in /etc" rule?
Cheers,
--
Cameron
More information about the systemd-devel
mailing list