-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/04/2013 02:05 PM, Lennart Poettering wrote: > On Mon, 04.11.13 17:06, Lennart Poettering (lenn...@poettering.net) wrote: > >> On Thu, 31.10.13 15:51, Vaclav Pavlin (vpav...@redhat.com) wrote: >> >>> From: Václav Pavlín <vpav...@redhat.com> >> >> Sorry, I don't understand what this patch is doing. Please explain in a >> commit message! > > Hmm, so, here's another idea. The transient units are created by a client > process. We could easily determine the label of that client process. > Wouldn't it a better approach to calculate the label of the transient units > somehow from the client process' label? This way wouldn't need any > additional systemd-specific infrastructure in libselinux. > > Dan, could that work? > > Lennart > I suppose it would. The only label we have the the clients is the process label.
What process types create these runtime objects and what do they request to do with them? Currently systemd asks for permissions on system class and service class, where class system { ipc_info syslog_read syslog_mod syslog_console module_request halt reboot status undefined enable disable reload } class service { start stop status reload kill load enable disable } Do we have to add a rule like allow sysadm_t networkmanager_t:service start; Were networkmanager_t is a process type? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJ3/gsACgkQrlYvE4MpobPWbQCfWElx/pR6cOjQKM1Ad0cE/eU1 cAcAoJ1k49KbB143/NJH/DEfl0aRLhnn =eao5 -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel