On Mon, 04.11.13 15:05, Daniel J Walsh (dwa...@redhat.com) wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/04/2013 02:05 PM, Lennart Poettering wrote: > > On Mon, 04.11.13 17:06, Lennart Poettering (lenn...@poettering.net) wrote: > > > >> On Thu, 31.10.13 15:51, Vaclav Pavlin (vpav...@redhat.com) wrote: > >> > >>> From: Václav Pavlín <vpav...@redhat.com> > >> > >> Sorry, I don't understand what this patch is doing. Please explain in a > >> commit message! > > > > Hmm, so, here's another idea. The transient units are created by a client > > process. We could easily determine the label of that client process. > > Wouldn't it a better approach to calculate the label of the transient units > > somehow from the client process' label? This way wouldn't need any > > additional systemd-specific infrastructure in libselinux. > > > > Dan, could that work? > > > > Lennart > > > I suppose it would. The only label we have the the clients is the process > label. > > What process types create these runtime objects and what do they request to do > with them?
Currently it's almost exclusively "systemd-machined", "systemd-logind" and "systemd-run" which create transient units, for creating scops to run VM/containers in, sessions in and arbitrary user commands in. > class service > { > start > stop > status > reload > kill > load > enable > disable > } > > Do we have to add a rule like > > allow sysadm_t networkmanager_t:service start; > > Were networkmanager_t is a process type? Well, logind, machined, systemd-run would need the permission to start a transient service, that'd be all really... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel