-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/14/2013 12:50 PM, Harald Hoyer wrote: > On 11/05/2013 11:12 PM, Daniel J Walsh wrote: >> On 11/05/2013 12:22 PM, Lennart Poettering wrote: > >> Ok lets add a check that checks for start on a service labeled with the >> remote process label, then we can add rules like > >> allow systemd_logind_t self:service start > >> Or we can make it simpler and have the local end check against the init_t >> process. > >> allow systemd_logind_t init_t:service start; > >> Which is probably a better solution, if we have no way of differentiating >> the services. > >> Machineid usually runs as init_t now. > >> systemd-run runs as the label of the process that executes it, Usually >> unconfined_t, and sysadm_t. > > > has any solution been found for this? > > seems like one is needed for > https://bugzilla.redhat.com/show_bug.cgi?id=1008864 >
I guess the question I have is do you expect a patch from me? Or are you guys working on it? I would go with the checking based on process label. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKFNdUACgkQrlYvE4MpobNuXACg1eKUvMGKMv5zuwKHDvj44K+F L6gAn3sQtD0QvGUUmJWRGRSolZTdOqN0 =pYrx -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel