I want to turn on a part of the kernel to make SELinux checking more stringent.
Lennart Poettering
mzerqung at 0pointer.de
Fri Jan 24 15:32:54 UTC 2014
On Fri, 24.01.14 10:22, Daniel J Walsh (dwalsh at redhat.com) wrote:
Heya,
Do we really need a service for this? Can't this be done instead via a
tmpfiles snippet that uses "f" and the extra argument at the end?
I mean I am not convinced it's worth involving shell here. Also the
canonical way to write things to /proc or /sys is
{/etc,/usr/lib/}/sysctl.d/ and {/etc,/usr/lib/}/tmpfiles.d/ if it's
simple and static. And I don't see why we shouldn't do this differently
in this case than in all others...
If you would ship a simple tmpfiles snippet in /usr/lib/tmpfiles.d/,
then users who want to opt out of this could simply symlink the file to
/dev/null in /etc/tmpfiles.d/.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I wrote a systemd unit file to enable it, and to allow a user to disable the
> feature if he wants.
>
> # cat /usr/lib/systemd/system/selinux-checkreqprot.service
> [Unit]
> Description=SELinux check actual protection flags applied by kernel, rather
> than checking what application requested.
>
> [Service]
> Type=oneshot
> RemainAfterExit=yes
> Environment="CHECKREQPROT=0"
> EnvironmentFile=-/etc/selinux/config
> ExecStart=/bin/sh -c '/bin/echo $CHECKREQPROT > /sys/fs/selinux/checkreqprot'
>
>
> I would like to enable this service on the post install of a initial install
> of libselinux. But I believe this will not happen with
>
> %systemd_post_enable selinux-checkreqprot.service
>
> How would I go about doing this?
>
> I know there is one problem in the unit file, it will fail if
> /sys/fs/selinux/checkreqprot, does not exist. Is their an easy check to just
> exit if this file does not exist?
>
> Also is using a unit file for this, the best way to handle this?
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list