[systemd-devel] systemd.socket man pages update suggestion

Lennart Poettering lennart at poettering.net
Mon Jun 14 12:03:36 UTC 2021


On Do, 10.06.21 13:44, Ted Toth (txtoth at gmail.com) wrote:

>  SELinuxContextFromNet=
>            Takes a boolean argument. When true, systemd will attempt to
>            figure out the SELinux label used for the instantiated
>            service from the information handed by the peer over the
>            network. Note that only the security level is used from the
>            information provided by the peer. Other parts of the
>            resulting SELinux context originate from either the target
>            binary that is effectively triggered by socket unit or from
>            the value of the SELinuxContext= option. This configuration
>            option only affects sockets with Accept= mode set to "yes".
>            Also note that this option is useful only when MLS/MCS
>            SELinux policy is deployed. Defaults to "false".
>
> Add:
> One or more of the associated service files
> StandardInput/StandardOutput/StandardError options should be set to
> socket for this option to work.
>
> >From execute.c:
>       if (context->std_input == EXEC_INPUT_SOCKET ||
>             context->std_output == EXEC_OUTPUT_SOCKET ||
>             context->std_error == EXEC_OUTPUT_SOCKET) {
>
>                 if (params->n_fds != 1) {
>                         log_unit_error(params->unit_id, "Got more than
> one socket.");
>                         return -EINVAL;
>                 }
>
>                 socket_fd = params->fds[0];
>         } else {
>                 socket_fd = -1;
>                 fds = params->fds;
>                 n_fds = params->n_fds;
>         }
>
> When socket_fd is -1 the SELinux context is not computed. Text like
> this would have saved a lot of head scratching and code reading :(

We should probably make this work for any service that is instantiated
with a single fd. Can you file a bug on github asking for this?

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list