-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/13/2011 01:20 PM, Matthew Ife wrote: > I dont think that will work. According to my strace systemd performs > the work completely on behalf of the user when calling systemctl. > > It might be more elegant to solve the problem in software.. ideally > with some selinux object manager for systemd that systemctl can be > intercepted with. > > Say classes of target and service and permissions like start, stop > reload, restart etc. > > That could take a while to implement though. > Right, I was thinking of something simpler, Have systemd become an object manager but only have it check the services file. That way we just put a label on the services file and have systemd check if the user context is allowed to "PROCESS" "EXECUTE" or some other access method on the services file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4d2acACgkQrlYvE4MpobP1vwCeOKZ7Z15EU43/I7UN9i86Udcz Qi0AoM71WDDl6Y1N3ZDNbdf/mRcKIWfT =fDed -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
