It stopped too early, exposing a bug in sudo selinux_restore_tty():
SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0
If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP
v2: stop late, but do stop
Signed-off-by: Dominick Grift <dac.override@xxxxxxxxx>
---
mcstrans/src/mcstrans.service | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service
index 09529432..c13cd09a 100644
--- a/mcstrans/src/mcstrans.service
+++ b/mcstrans/src/mcstrans.service
@@ -2,6 +2,9 @@
Description=Translates SELinux MCS/MLS labels to human readable form
Documentation=man:mcstransd(8)
ConditionSecurity=selinux
+DefaultDependencies=no
+Before=shutdown.target sysinit.target
+Conflicts=shutdown.target
[Service]
ExecStart=/sbin/mcstransd -f
--
2.24.0
