Re: [systemd-devel] systemd.socket man pages update suggestion
On Do, 10.06.21 13:44, Ted Toth (txt...@gmail.com) wrote:
> SELinuxContextFromNet=
>Takes a boolean argument. When true, systemd will attempt to
>figure out the SELinux label used for the instantiated
>service from the information handed by the peer over the
>network. Note that only the security level is used from the
>information provided by the peer. Other parts of the
>resulting SELinux context originate from either the target
>binary that is effectively triggered by socket unit or from
>the value of the SELinuxContext= option. This configuration
>option only affects sockets with Accept= mode set to "yes".
>Also note that this option is useful only when MLS/MCS
>SELinux policy is deployed. Defaults to "false".
>
> Add:
> One or more of the associated service files
> StandardInput/StandardOutput/StandardError options should be set to
> socket for this option to work.
>
> >From execute.c:
> if (context->std_input == EXEC_INPUT_SOCKET ||
> context->std_output == EXEC_OUTPUT_SOCKET ||
> context->std_error == EXEC_OUTPUT_SOCKET) {
>
> if (params->n_fds != 1) {
> log_unit_error(params->unit_id, "Got more than
> one socket.");
> return -EINVAL;
> }
>
> socket_fd = params->fds[0];
> } else {
> socket_fd = -1;
> fds = params->fds;
> n_fds = params->n_fds;
> }
>
> When socket_fd is -1 the SELinux context is not computed. Text like
> this would have saved a lot of head scratching and code reading :(
We should probably make this work for any service that is instantiated
with a single fd. Can you file a bug on github asking for this?
Lennart
--
Lennart Poettering, Berlin
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd.socket man pages update suggestion
On Thu, Jun 10, 2021 at 9:44 PM Ted Toth wrote: > SELinuxContextFromNet= >Takes a boolean argument. When true, systemd will attempt to >figure out the SELinux label used for the instantiated >service from the information handed by the peer over the >network. Note that only the security level is used from the >information provided by the peer. Other parts of the >resulting SELinux context originate from either the target >binary that is effectively triggered by socket unit or from >the value of the SELinuxContext= option. This configuration >option only affects sockets with Accept= mode set to "yes". >Also note that this option is useful only when MLS/MCS >SELinux policy is deployed. Defaults to "false". > > Add: > One or more of the associated service files > StandardInput/StandardOutput/StandardError options should be set to > socket for this option to work. > IMHO that is a bit odd. I don't really see the reason why the option wouldn't work with any Accept=yes service and would require stdin specifically... -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd.socket man pages update suggestion
SELinuxContextFromNet=
Takes a boolean argument. When true, systemd will attempt to
figure out the SELinux label used for the instantiated
service from the information handed by the peer over the
network. Note that only the security level is used from the
information provided by the peer. Other parts of the
resulting SELinux context originate from either the target
binary that is effectively triggered by socket unit or from
the value of the SELinuxContext= option. This configuration
option only affects sockets with Accept= mode set to "yes".
Also note that this option is useful only when MLS/MCS
SELinux policy is deployed. Defaults to "false".
Add:
One or more of the associated service files
StandardInput/StandardOutput/StandardError options should be set to
socket for this option to work.
>From execute.c:
if (context->std_input == EXEC_INPUT_SOCKET ||
context->std_output == EXEC_OUTPUT_SOCKET ||
context->std_error == EXEC_OUTPUT_SOCKET) {
if (params->n_fds != 1) {
log_unit_error(params->unit_id, "Got more than
one socket.");
return -EINVAL;
}
socket_fd = params->fds[0];
} else {
socket_fd = -1;
fds = params->fds;
n_fds = params->n_fds;
}
When socket_fd is -1 the SELinux context is not computed. Text like
this would have saved a lot of head scratching and code reading :(
Ted
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
