For the sock *file*, i would argue, that indeed the "setfscreatecon" is not strictly needed, and that the labeling for this can be taken care of by using type transition rules in the security policy as suggested. However for the "socket" classes associated with the process type, "setsockcreatecon" is required The socket activation selinux related aspect has two parts: 1. the socket associated with the process (setsockcreatecon()) 2. the actual socket file (setfscreatecon())
The latter (2) can, and should *probably* be removed. The setsockcreatecon() stuff should stay, and the setfscreatecon() stuff should *probably* go. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
pgpuyk4nWBLag.pgp
Description: PGP signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
