Hello,
in the past systemd was checking operation on systemd units, like
enable, disable... , when using systemctl.
This feature was removed three years ago [1] and nowadays only {
reload start status stop } are checked.
I am trying to re-enable these checks with a new approach [2].
With this pull request I also would like to specify some permissions
more precisely:
- method_kexec: reboot -> kexec
- method_switch_root: reboot -> switchroot
- method_set_environment: reload -> environment
- method_unset_environment: reload -> environment
- method_unset_and_set_environment: reload -> environment
- bus_unit_method_set_properties: start -> setproperties
- bus_unit_method_ref: start -> ref
The new introduced checks are computed like:
source context: process context of the dbus client
target context: either the file context of the installation path
for the requested unit (like ssh -> /lib/systemd/system/ssh.service ->
sshd_unit_t) if the file exists, or the process context of systemd
(init_t)
so when operating on edited units (like
/etc/systemd/system/ssh.service) the access is still checked against
the original unit context
class: "service"
permission: verb close to the action (like "enable", "preset"...)
Any comments are appreciated.
Best regards,
Christian Göttsche
[1]: https://github.com/systemd/systemd/commit/8faae625dc9b6322db452937f54176e56e65265a
[2]: https://github.com/systemd/systemd/pull/10023
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
