On Fri, Jan 10, 2020 at 9:20 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > Support a SELinux overhaul of systemd by adding a policy capability. > > The systemd patch can be found at > https://github.com/systemd/systemd/pull/10023 > and has NOT yet been accepted. > > This is just a rfc to test the water. > --- > security/selinux/include/security.h | 1 + > security/selinux/ss/services.c | 3 ++- > 2 files changed, 3 insertions(+), 1 deletion(-) Generally the SELinux policy capabilities are reserved for *kernel* changes that potentially break compatibility with existing SELinux policies. I'm probably not the best person to talk about tricks/conventions used to do similar things in userspace, but you've come to the right place :) > diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h > index ecdd610e6449..2853e462977f 100644 > --- a/security/selinux/include/security.h > +++ b/security/selinux/include/security.h > @@ -79,6 +79,7 @@ enum { > POLICYDB_CAPABILITY_ALWAYSNETWORK, > POLICYDB_CAPABILITY_CGROUPSECLABEL, > POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, > + POLICYDB_CAPABILITY_SYSTEMD_OVERHAUL, > __POLICYDB_CAPABILITY_MAX > }; > #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index 55cf42945cba..cb50e187b181 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -73,7 +73,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { > "extended_socket_class", > "always_check_network", > "cgroup_seclabel", > - "nnp_nosuid_transition" > + "nnp_nosuid_transition", > + "systemd_overhaul" > }; > > static struct selinux_ss selinux_ss; > -- > 2.24.1 -- paul moore www.paul-moore.com
