On Fri, 06.03.15 13:04, Jan Synáček (jsyna...@redhat.com) wrote: > Hello, > > when systemd creates a socket file, it explicitly calls a selinux > procedure to label it. I don't think that is needed, as the kernel does > the right thing when the socket is created. Am I missing something? Why > is the explicit labeling in place?
Well, it's complicated. If we use socket activation we label a socket taking into account the label of the binary that is eventually started for it. And then, for file system sockets the kernel could traditionally only derive the label to use from the directory the socket was created in, which makes it difficult to have multiple sockets in the same directory with different labels, which is pretty frequently done though. That said, I think this limitation was lifted a while back in the kernel, and the policy can now also take the socket file name into consideration and derive different labels automatically. Ultimately, I only superficially understand the selinux code. We rely on patches from Dan & co to keep it up-to-date. Better keep him in the loop. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel