http://0pointer.de/blog/projects/systemd.html
This has interesting ramifications for SELinux. I have a working
version of this in Fedora 14, but we need to add rules like
allow sshd_t init_t:tcp_socket { getopt ioctl getattr setopt };
Since systemd will be doing the listening and passing the socket to sshd.
Could we have risks of sshd_t grabbing the tcp_socket connected to
httpd_t?
In this scenario we are no longer protecting against the name_bind, and
are forced to put more trust into init_t.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
