[systemd-devel] systemd.socket man pages update suggestion
Lennart Poettering
lennart at poettering.net
Mon Jun 14 12:03:36 UTC 2021
On Do, 10.06.21 13:44, Ted Toth (txtoth at gmail.com) wrote:
> SELinuxContextFromNet=
> Takes a boolean argument. When true, systemd will attempt to
> figure out the SELinux label used for the instantiated
> service from the information handed by the peer over the
> network. Note that only the security level is used from the
> information provided by the peer. Other parts of the
> resulting SELinux context originate from either the target
> binary that is effectively triggered by socket unit or from
> the value of the SELinuxContext= option. This configuration
> option only affects sockets with Accept= mode set to "yes".
> Also note that this option is useful only when MLS/MCS
> SELinux policy is deployed. Defaults to "false".
>
> Add:
> One or more of the associated service files
> StandardInput/StandardOutput/StandardError options should be set to
> socket for this option to work.
>
> >From execute.c:
> if (context->std_input == EXEC_INPUT_SOCKET ||
> context->std_output == EXEC_OUTPUT_SOCKET ||
> context->std_error == EXEC_OUTPUT_SOCKET) {
>
> if (params->n_fds != 1) {
> log_unit_error(params->unit_id, "Got more than
> one socket.");
> return -EINVAL;
> }
>
> socket_fd = params->fds[0];
> } else {
> socket_fd = -1;
> fds = params->fds;
> n_fds = params->n_fds;
> }
>
> When socket_fd is -1 the SELinux context is not computed. Text like
> this would have saved a lot of head scratching and code reading :(
We should probably make this work for any service that is instantiated
with a single fd. Can you file a bug on github asking for this?
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list