I dont think that will work. According to my strace systemd performs the work completely on behalf of the user when calling systemctl. It might be more elegant to solve the problem in software.. ideally with some selinux object manager for systemd that systemctl can be intercepted with. Say classes of target and service and permissions like start, stop reload, restart etc. That could take a while to implement though. On Tue, 2011-07-12 at 17:12 -0400, Daniel J Walsh wrote: > Currently we can setup certain domains to be allowed to execute labeled > init scripts. If we go away from init scripts we will need a mechanism > for init to look at the calling program label to figure out if it is > allowed to start/stop certain domains. > > Can webadm_t start/stop mysqld_t? Can webadm_t start/stop httpd_t? > > # id -Z > staff_u:webadm_r:webadm_t:s0-s0:c0.c1023 > # systemctl start httpd.service > # systemctl stop httpd.service > > Another option would be just whether label > /lib/systemd/system/mysqld.service something that webadm_t is not > allowed to read. > > Ideas? > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
