mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-03-19 17:54:02 +00:00
364621e6ec
Systemd uses a number of UNIX sockets for communication (notify socket [1], journald socket). These sockets are normally created at start-up after the SELinux policy is loaded, which means that the kernel socket objects have proper security contexts of the creating processes. Unfortunately things look different when the system is started with an initrd that is also running systemd (e.g. dracut). In such case the sockets are created in the initrd systemd environment before the SELinux policy is loaded and therefore the socket object is assigned the default kernel context (system_u:system_r:kernel_t). When the initrd systemd transfers control to the main systemd the notify socket descriptors are passed to the main systemd process [2]. This means that when the main system is running the sockets will use the default kernel securint context until they are recreated, which for some sockets (notify socket) never happens. Until there is a way to change the context of an already open socket object all processes, that wish to use systemd sockets need to be able to send datagrams to system_u:system_r:kernel_t sockets. Parts of this workaround were earlier hidden behind RedHat-specific rules, since this distribution is the prime user of systemd+dracut combo. Since other distros may want to use similar configuration it makes sense to enable this globally. [1] sd_notify(3) [2] https://github.com/systemd/systemd/issues/16714 Signed-off-by: Krzysztof Nowicki <krissn@op.pl> tmp |
||
|---|---|---|
| .. | ||
| corecommands.fc | ||
| corecommands.if | ||
| corecommands.te | ||
| corenetwork.fc | ||
| corenetwork.if.in | ||
| corenetwork.if.m4 | ||
| corenetwork.te.in | ||
| corenetwork.te.m4 | ||
| devices.fc | ||
| devices.if | ||
| devices.te | ||
| domain.fc | ||
| domain.if | ||
| domain.te | ||
| files.fc | ||
| files.if | ||
| files.te | ||
| filesystem.fc | ||
| filesystem.if | ||
| filesystem.te | ||
| kernel.fc | ||
| kernel.if | ||
| kernel.te | ||
| mcs.fc | ||
| mcs.if | ||
| mcs.te | ||
| metadata.xml | ||
| mls.fc | ||
| mls.if | ||
| mls.te | ||
| selinux.fc | ||
| selinux.if | ||
| selinux.te | ||
| storage.fc | ||
| storage.if | ||
| storage.te | ||
| terminal.fc | ||
| terminal.if | ||
| terminal.te | ||
| ubac.fc | ||
| ubac.if | ||
| ubac.te | ||