-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/04/2013 02:05 PM, Lennart Poettering wrote:
> On Mon, 04.11.13 17:06, Lennart Poettering ([email protected]) wrote:
>
>> On Thu, 31.10.13 15:51, Vaclav Pavlin ([email protected]) wrote:
>>
>>> From: Václav Pavlín <[email protected]>
>>
>> Sorry, I don't understand what this patch is doing. Please explain in a
>> commit message!
>
> Hmm, so, here's another idea. The transient units are created by a client
> process. We could easily determine the label of that client process.
> Wouldn't it a better approach to calculate the label of the transient units
> somehow from the client process' label? This way wouldn't need any
> additional systemd-specific infrastructure in libselinux.
>
> Dan, could that work?
>
> Lennart
>
I suppose it would. The only label we have the the clients is the process
label.
What process types create these runtime objects and what do they request to do
with them?
Currently systemd asks for permissions on system class and service class, where
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
halt
reboot
status
undefined
enable
disable
reload
}
class service
{
start
stop
status
reload
kill
load
enable
disable
}
Do we have to add a rule like
allow sysadm_t networkmanager_t:service start;
Were networkmanager_t is a process type?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJ3/gsACgkQrlYvE4MpobPWbQCfWElx/pR6cOjQKM1Ad0cE/eU1
cAcAoJ1k49KbB143/NJH/DEfl0aRLhnn
=eao5
-----END PGP SIGNATURE-----
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
