On 12/18/19 9:28 AM, Christian Göttsche wrote:
Improve the SELinux support in systemd, especially re-adding checks for unit file operations, like enable, mask... The original pull request can be found at https://github.com/systemd/systemd/pull/10023 Patch 1 and 2 improve logging on failures in permissive mode. Patch 3 adds the ability to obtain the context for a masked unit. Patch 4 and 5 change several system und service checks. For better distinction two new permissions are introduced: modify and listdynusers. Patch 6 and 7 re-introduce checking unit file install operations. They were dropped in 8faae625dc9b6322db452937f54176e56e65265a . For consistency in the unexpected case while perforimg a service access check no path can be gathered, now the check will still be executed on the service security class (currently it switches to the system security class). Patch 8 adds some notes for adding future D-Bus interfaces.
Thanks for working on this. Just to make sure I didn't miss anything while reading the patches, there are no new permissions being added to the system class, correct?
-- Chris PeBenito
