On Wed, Mar 25, 2015 at 10:31:41PM +0100, Dominick Grift wrote: > For the sock *file*, i would argue, that indeed the "setfscreatecon" is not > strictly needed, and that the labeling for this can be taken care of by using > type transition rules in the security policy as suggested. > > However for the "socket" classes associated with the process type, > "setsockcreatecon" is required > > The socket activation selinux related aspect has two parts: > > 1. the socket associated with the process (setsockcreatecon()) > 2. the actual socket file (setfscreatecon()) > > The latter (2) can, and should *probably* be removed. > > The setsockcreatecon() stuff should stay, and the setfscreatecon() stuff > should *probably* go.
Actually, come to think about it, it is not that simple and things should probably stay as they are. For multi level security configurations the proper security level must be associated with the sock file, and that cannot be specified with a type transition rule. It should stay the way it currently is. > > -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 > Dominick Grift -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
pgpzL_PeTYa_Q.pgp
Description: PGP signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
