On Do, 10.06.21 13:44, Ted Toth (txtoth@xxxxxxxxx) wrote:
> SELinuxContextFromNet=
> Takes a boolean argument. When true, systemd will attempt to
> figure out the SELinux label used for the instantiated
> service from the information handed by the peer over the
> network. Note that only the security level is used from the
> information provided by the peer. Other parts of the
> resulting SELinux context originate from either the target
> binary that is effectively triggered by socket unit or from
> the value of the SELinuxContext= option. This configuration
> option only affects sockets with Accept= mode set to "yes".
> Also note that this option is useful only when MLS/MCS
> SELinux policy is deployed. Defaults to "false".
>
> Add:
> One or more of the associated service files
> StandardInput/StandardOutput/StandardError options should be set to
> socket for this option to work.
>
> >From execute.c:
> if (context->std_input == EXEC_INPUT_SOCKET ||
> context->std_output == EXEC_OUTPUT_SOCKET ||
> context->std_error == EXEC_OUTPUT_SOCKET) {
>
> if (params->n_fds != 1) {
> log_unit_error(params->unit_id, "Got more than
> one socket.");
> return -EINVAL;
> }
>
> socket_fd = params->fds[0];
> } else {
> socket_fd = -1;
> fds = params->fds;
> n_fds = params->n_fds;
> }
>
> When socket_fd is -1 the SELinux context is not computed. Text like
> this would have saved a lot of head scratching and code reading :(
We should probably make this work for any service that is instantiated
with a single fd. Can you file a bug on github asking for this?
Lennart
--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: systemd.socket man pages update suggestion
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd.socket man pages update suggestion
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Mon, 14 Jun 2021 14:03:36 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CAFPpqQH-92kwn3odYP5kGWRj4hTaYz==HQKZ7YX3wCuNULxUpQ@mail.gmail.com>
- References: <CAFPpqQH-92kwn3odYP5kGWRj4hTaYz==HQKZ7YX3wCuNULxUpQ@mail.gmail.com>
- References:
- systemd.socket man pages update suggestion
- From: Ted Toth
- systemd.socket man pages update suggestion
- Prev by Date: Antw: Re: Antw: [EXT] Block systemd from adding new services
- Next by Date: Re: Alais for SMTP providers
- Previous by thread: Re: systemd.socket man pages update suggestion
- Next by thread: Script in system-sleep that makes an HTTP post
- Index(es):
 |