Re: [systemd-devel] systemd.socket man pages update suggestion
On Do, 10.06.21 13:44, Ted Toth (txt...@gmail.com) wrote: > SELinuxContextFromNet= >Takes a boolean argument. When true, systemd will attempt to >figure out the SELinux label used for the instantiated >service from the information handed by the peer over the >network. Note that only the security level is used from the >information provided by the peer. Other parts of the >resulting SELinux context originate from either the target >binary that is effectively triggered by socket unit or from >the value of the SELinuxContext= option. This configuration >option only affects sockets with Accept= mode set to "yes". >Also note that this option is useful only when MLS/MCS >SELinux policy is deployed. Defaults to "false". > > Add: > One or more of the associated service files > StandardInput/StandardOutput/StandardError options should be set to > socket for this option to work. > > >From execute.c: > if (context->std_input == EXEC_INPUT_SOCKET || > context->std_output == EXEC_OUTPUT_SOCKET || > context->std_error == EXEC_OUTPUT_SOCKET) { > > if (params->n_fds != 1) { > log_unit_error(params->unit_id, "Got more than > one socket."); > return -EINVAL; > } > > socket_fd = params->fds[0]; > } else { > socket_fd = -1; > fds = params->fds; > n_fds = params->n_fds; > } > > When socket_fd is -1 the SELinux context is not computed. Text like > this would have saved a lot of head scratching and code reading :( We should probably make this work for any service that is instantiated with a single fd. Can you file a bug on github asking for this? Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd.socket man pages update suggestion
On Thu, Jun 10, 2021 at 9:44 PM Ted Toth wrote: > SELinuxContextFromNet= >Takes a boolean argument. When true, systemd will attempt to >figure out the SELinux label used for the instantiated >service from the information handed by the peer over the >network. Note that only the security level is used from the >information provided by the peer. Other parts of the >resulting SELinux context originate from either the target >binary that is effectively triggered by socket unit or from >the value of the SELinuxContext= option. This configuration >option only affects sockets with Accept= mode set to "yes". >Also note that this option is useful only when MLS/MCS >SELinux policy is deployed. Defaults to "false". > > Add: > One or more of the associated service files > StandardInput/StandardOutput/StandardError options should be set to > socket for this option to work. > IMHO that is a bit odd. I don't really see the reason why the option wouldn't work with any Accept=yes service and would require stdin specifically... -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd.socket man pages update suggestion
SELinuxContextFromNet= Takes a boolean argument. When true, systemd will attempt to figure out the SELinux label used for the instantiated service from the information handed by the peer over the network. Note that only the security level is used from the information provided by the peer. Other parts of the resulting SELinux context originate from either the target binary that is effectively triggered by socket unit or from the value of the SELinuxContext= option. This configuration option only affects sockets with Accept= mode set to "yes". Also note that this option is useful only when MLS/MCS SELinux policy is deployed. Defaults to "false". Add: One or more of the associated service files StandardInput/StandardOutput/StandardError options should be set to socket for this option to work. >From execute.c: if (context->std_input == EXEC_INPUT_SOCKET || context->std_output == EXEC_OUTPUT_SOCKET || context->std_error == EXEC_OUTPUT_SOCKET) { if (params->n_fds != 1) { log_unit_error(params->unit_id, "Got more than one socket."); return -EINVAL; } socket_fd = params->fds[0]; } else { socket_fd = -1; fds = params->fds; n_fds = params->n_fds; } When socket_fd is -1 the SELinux context is not computed. Text like this would have saved a lot of head scratching and code reading :( Ted ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel