On Thu, 14.11.13 15:43, Daniel J Walsh (dwa...@redhat.com) wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/14/2013 12:50 PM, Harald Hoyer wrote: > > On 11/05/2013 11:12 PM, Daniel J Walsh wrote: > >> On 11/05/2013 12:22 PM, Lennart Poettering wrote: > > > >> Ok lets add a check that checks for start on a service labeled with the > >> remote process label, then we can add rules like > > > >> allow systemd_logind_t self:service start > > > >> Or we can make it simpler and have the local end check against the init_t > >> process. > > > >> allow systemd_logind_t init_t:service start; > > > >> Which is probably a better solution, if we have no way of differentiating > >> the services. > > > >> Machineid usually runs as init_t now. > > > >> systemd-run runs as the label of the process that executes it, Usually > >> unconfined_t, and sysadm_t. > > > > > > has any solution been found for this? > > > > seems like one is needed for > > https://bugzilla.redhat.com/show_bug.cgi?id=1008864 > > > > I guess the question I have is do you expect a patch from me? Or are you guys > working on it? I would go with the checking based on process label.
I am hoping for a patch for this! Thanks, Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel