Bear with me please, because i might not fully grasp the issue (i received help with diagnosing this issue): This commit causes issues (and is, i think, a lousy hack): e3cab998b48ab293a9962faf9779d70ca339c65d The commit causes entities to "think" that SELinux is disabled after "mount -o remount,ro /sys/fs/selinux It is "neat" to be able to make processes "think" that selinux is disabled on a selinux enabled system but not if it break anything The above results in the following: Systemd services that have ProtectKernelTunables=yes set in their respective service units, think that SELinux is disabled. However we have found that some of these services actually rely on SELinux to ensure proper labeling. So we have the option to make people aware that if you set ProtectKernelTunables=yes that then the process cannot be SELinux-aware properly, or we can just get rid of the commit above and just accept that process know that SELinux is enabled. Actual bug that caused me to look into this: systemd-localed selinux awareness is broken due it having ProtectKernelTunables=yes in its service unit -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
