<div dir="ltr"><div dir="ltr">On Thu, Jun 10, 2021 at 9:44 PM Ted Toth <<a href="mailto:txtoth@gmail.com">txtoth@gmail.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> SELinuxContextFromNet=<br>
Takes a boolean argument. When true, systemd will attempt to<br>
figure out the SELinux label used for the instantiated<br>
service from the information handed by the peer over the<br>
network. Note that only the security level is used from the<br>
information provided by the peer. Other parts of the<br>
resulting SELinux context originate from either the target<br>
binary that is effectively triggered by socket unit or from<br>
the value of the SELinuxContext= option. This configuration<br>
option only affects sockets with Accept= mode set to "yes".<br>
Also note that this option is useful only when MLS/MCS<br>
SELinux policy is deployed. Defaults to "false".<br>
<br>
Add:<br>
One or more of the associated service files<br>
StandardInput/StandardOutput/StandardError options should be set to<br>
socket for this option to work.<br></blockquote><div><br></div><div>IMHO that is a bit odd. I don't really see the reason why the option wouldn't work with any Accept=yes service and would require stdin specifically...</div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Mantas Mikulėnas</div></div></div>