Lennart Poettering <[email protected]> writes: > On Fri, 06.03.15 13:04, Jan Synáček ([email protected]) wrote: > >> Hello, >> >> when systemd creates a socket file, it explicitly calls a selinux >> procedure to label it. I don't think that is needed, as the kernel does >> the right thing when the socket is created. Am I missing something? Why >> is the explicit labeling in place? > > Well, it's complicated. > > If we use socket activation we label a socket taking into account the > label of the binary that is eventually started for it. > > And then, for file system sockets the kernel could traditionally only > derive the label to use from the directory the socket was created in, > which makes it difficult to have multiple sockets in the same > directory with different labels, which is pretty frequently done > though. That said, I think this limitation was lifted a while back in > the kernel, and the policy can now also take the socket file name into > consideration and derive different labels automatically. > > Ultimately, I only superficially understand the selinux code. We rely > on patches from Dan & co to keep it up-to-date. Better keep him in the > loop.
If there is a way to specify the automatic labeling of the socket files according to their names, and not the directory that they reside in, in the policy, then the code that does the explicit labeling isn't necessary. If not, the code would label the sockets incorrectly, which is what actually happens now. Plus the fact that systemd doesn't correctly re-require the libselinux handle (meaning that policy updates/reloads are not recognized) on policy changes makes the logic not work. I've tried to write a small piece of code that would execute whenever a policy is modified, but failed to do so. Calling selinux_set_callback(SELINUX_CB_POLICYLOAD, cb) doesn't do anything. So, I think that the code that explictly labels the socket files should be removed. It would be nice to hear from Dan, though. Cheers, -- Jan Synacek Software Engineer, Red Hat
signature.asc
Description: PGP signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
