[systemd-devel] systemd.socket man pages update suggestion

Ted Toth txtoth at gmail.com
Thu Jun 10 18:44:03 UTC 2021


 SELinuxContextFromNet=
           Takes a boolean argument. When true, systemd will attempt to
           figure out the SELinux label used for the instantiated
           service from the information handed by the peer over the
           network. Note that only the security level is used from the
           information provided by the peer. Other parts of the
           resulting SELinux context originate from either the target
           binary that is effectively triggered by socket unit or from
           the value of the SELinuxContext= option. This configuration
           option only affects sockets with Accept= mode set to "yes".
           Also note that this option is useful only when MLS/MCS
           SELinux policy is deployed. Defaults to "false".

Add:
One or more of the associated service files
StandardInput/StandardOutput/StandardError options should be set to
socket for this option to work.

>From execute.c:
      if (context->std_input == EXEC_INPUT_SOCKET ||
            context->std_output == EXEC_OUTPUT_SOCKET ||
            context->std_error == EXEC_OUTPUT_SOCKET) {

                if (params->n_fds != 1) {
                        log_unit_error(params->unit_id, "Got more than
one socket.");
                        return -EINVAL;
                }

                socket_fd = params->fds[0];
        } else {
                socket_fd = -1;
                fds = params->fds;
                n_fds = params->n_fds;
        }

When socket_fd is -1 the SELinux context is not computed. Text like
this would have saved a lot of head scratching and code reading :(

Ted


More information about the systemd-devel mailing list