I want to turn on a part of the kernel to make SELinux checking more stringent.

Lennart Poettering mzerqung at 0pointer.de
Fri Jan 24 15:32:54 UTC 2014

On Fri, 24.01.14 10:22, Daniel J Walsh (dwalsh at redhat.com) wrote:


Do we really need a service for this? Can't this be done instead via a
tmpfiles snippet that uses "f" and the extra argument at the end?

I mean I am not convinced it's worth involving shell here. Also the
canonical way to write things to /proc or /sys is
{/etc,/usr/lib/}/sysctl.d/ and {/etc,/usr/lib/}/tmpfiles.d/ if it's
simple and static. And I don't see why we shouldn't do this differently
in this case than in all others...

If you would ship a simple tmpfiles snippet in /usr/lib/tmpfiles.d/,
then users who want to opt out of this could simply symlink the file to
/dev/null in /etc/tmpfiles.d/.

> Hash: SHA1
> I wrote a systemd unit file to enable it, and to allow a user to disable the
> feature if he wants.
> # cat /usr/lib/systemd/system/selinux-checkreqprot.service
> [Unit]
> Description=SELinux check actual protection flags applied by kernel, rather
> than checking what application requested.
> [Service]
> Type=oneshot
> RemainAfterExit=yes
> Environment="CHECKREQPROT=0"
> EnvironmentFile=-/etc/selinux/config
> ExecStart=/bin/sh -c '/bin/echo $CHECKREQPROT > /sys/fs/selinux/checkreqprot'
> I would like to enable this service on the post install of a initial install
> of libselinux.  But I believe this will not happen with
> %systemd_post_enable selinux-checkreqprot.service
> How would I go about doing this?
> I know there is one problem in the unit file, it will fail if
> /sys/fs/selinux/checkreqprot, does not exist.  Is their an easy check to just
> exit if this file does not exist?
> Also is using a unit file for this, the best way to handle this?


Lennart Poettering, Red Hat

More information about the devel mailing list