Re: I want to turn on a part of the kernel to make SELinux checking more stringent.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2014 10:32 AM, Lennart Poettering wrote:
> On Fri, 24.01.14 10:22, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote:
> 
> Heya,
> 
> Do we really need a service for this? Can't this be done instead via a 
> tmpfiles snippet that uses "f" and the extra argument at the end?
> 
No I did not know that tmpfiles.d did this.  I will look into using that.
> I mean I am not convinced it's worth involving shell here. Also the 
> canonical way to write things to /proc or /sys is 
> {/etc,/usr/lib/}/sysctl.d/ and {/etc,/usr/lib/}/tmpfiles.d/ if it's simple
> and static. And I don't see why we shouldn't do this differently in this
> case than in all others...
> 
> If you would ship a simple tmpfiles snippet in /usr/lib/tmpfiles.d/, then
> users who want to opt out of this could simply symlink the file to 
> /dev/null in /etc/tmpfiles.d/.
> 

>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> I wrote a systemd unit file to enable it, and to allow a user to disable
>> the feature if he wants.
>> 
>> # cat /usr/lib/systemd/system/selinux-checkreqprot.service [Unit] 
>> Description=SELinux check actual protection flags applied by kernel,
>> rather than checking what application requested.
>> 
>> [Service] Type=oneshot RemainAfterExit=yes Environment="CHECKREQPROT=0" 
>> EnvironmentFile=-/etc/selinux/config ExecStart=/bin/sh -c '/bin/echo
>> $CHECKREQPROT > /sys/fs/selinux/checkreqprot'
>> 
>> 
>> I would like to enable this service on the post install of a initial
>> install of libselinux.  But I believe this will not happen with
>> 
>> %systemd_post_enable selinux-checkreqprot.service
>> 
>> How would I go about doing this?
>> 
>> I know there is one problem in the unit file, it will fail if 
>> /sys/fs/selinux/checkreqprot, does not exist.  Is their an easy check to
>> just exit if this file does not exist?
>> 
>> Also is using a unit file for this, the best way to handle this?
> 
> Lennart
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLijEAACgkQrlYvE4MpobMm5gCfebHFEnypgZbZy0fVSR1Omz0I
0N8An3c4B9rP8hpV0Jkla8bQIXATzpT4
=KUxo
-----END PGP SIGNATURE-----
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux