[systemd-devel] systemd.socket man pages update suggestion
Ted Toth
txtoth at gmail.com
Thu Jun 10 18:44:03 UTC 2021
SELinuxContextFromNet=
Takes a boolean argument. When true, systemd will attempt to
figure out the SELinux label used for the instantiated
service from the information handed by the peer over the
network. Note that only the security level is used from the
information provided by the peer. Other parts of the
resulting SELinux context originate from either the target
binary that is effectively triggered by socket unit or from
the value of the SELinuxContext= option. This configuration
option only affects sockets with Accept= mode set to "yes".
Also note that this option is useful only when MLS/MCS
SELinux policy is deployed. Defaults to "false".
Add:
One or more of the associated service files
StandardInput/StandardOutput/StandardError options should be set to
socket for this option to work.
>From execute.c:
if (context->std_input == EXEC_INPUT_SOCKET ||
context->std_output == EXEC_OUTPUT_SOCKET ||
context->std_error == EXEC_OUTPUT_SOCKET) {
if (params->n_fds != 1) {
log_unit_error(params->unit_id, "Got more than
one socket.");
return -EINVAL;
}
socket_fd = params->fds[0];
} else {
socket_fd = -1;
fds = params->fds;
n_fds = params->n_fds;
}
When socket_fd is -1 the SELinux context is not computed. Text like
this would have saved a lot of head scratching and code reading :(
Ted
More information about the systemd-devel
mailing list