On Thu, Jun 10, 2021 at 9:44 PM Ted Toth <txtoth@xxxxxxxxx> wrote:
SELinuxContextFromNet=
Takes a boolean argument. When true, systemd will attempt to
figure out the SELinux label used for the instantiated
service from the information handed by the peer over the
network. Note that only the security level is used from the
information provided by the peer. Other parts of the
resulting SELinux context originate from either the target
binary that is effectively triggered by socket unit or from
the value of the SELinuxContext= option. This configuration
option only affects sockets with Accept= mode set to "yes".
Also note that this option is useful only when MLS/MCS
SELinux policy is deployed. Defaults to "false".
Add:
One or more of the associated service files
StandardInput/StandardOutput/StandardError options should be set to
socket for this option to work.
IMHO that is a bit odd. I don't really see the reason why the option wouldn't work with any Accept=yes service and would require stdin specifically...
Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
