On Mo, 12.09.22 13:26, Ted Toth (txt...@gmail.com) wrote:
> I've been looking at the issue of systemd setting the socket
> activation socket context to init_t when using SELinuxContextFromNet.
> My initial thought was to use the port context set by running semanage
> and compute the socket context using a type transition for the port
> type to a socket type. However after consulting the selinux community
> the consensus is not to do this but rather to simply use the target
> executables context. Currently systemd does compute the executables
> context when SELinuxContextFromNet is not used. Can anyone explain why
> the computed executables context is not used when
> SELinuxContextFromNet is set?
The SELinux hookup originally came from SELinux people. These are
questions only SELinux people really can answer.
If you think the SELinux code in systemd should work differenntly,
please file a PR changing it, and get a review/blessing from the
SELinux people and we'll basically merge anything that codewise looks
OK.
Don't assume we as systemd people would also be SELinux people with a
deep understanding how SELinux should operate. We are generally not.
Sorry, if that's disappointing.
Lennart
--
Lennart Poettering, Berlin
