[systemd-devel] SELinux labels on unix sockets
Lennart Poettering
lennart at poettering.net
Fri Mar 6 04:23:33 PST 2015
On Fri, 06.03.15 13:04, Jan Synáček (jsynacek at redhat.com) wrote:
> Hello,
>
> when systemd creates a socket file, it explicitly calls a selinux
> procedure to label it. I don't think that is needed, as the kernel does
> the right thing when the socket is created. Am I missing something? Why
> is the explicit labeling in place?
Well, it's complicated.
If we use socket activation we label a socket taking into account the
label of the binary that is eventually started for it.
And then, for file system sockets the kernel could traditionally only
derive the label to use from the directory the socket was created in,
which makes it difficult to have multiple sockets in the same
directory with different labels, which is pretty frequently done
though. That said, I think this limitation was lifted a while back in
the kernel, and the policy can now also take the socket file name into
consideration and derive different labels automatically.
Ultimately, I only superficially understand the selinux code. We rely
on patches from Dan & co to keep it up-to-date. Better keep him in the
loop.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list