systemd-journald has a facility where it accepts file descriptors from
unprivileged local users and reads the log message from them. This is
done to bypass size restrictions on UNIX domain socket datagram messages.
The code is here in server_process_native_file:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-native.c#n286
Does this bypass MAC checks because the journald process has different
privileges than the user who opened the file descriptor?
--
Florian Weimer / Red Hat Product Security Team
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
