I want to turn on a part of the kernel to make SELinux checking more stringent.

Daniel J Walsh dwalsh at redhat.com
Fri Jan 24 15:52:32 UTC 2014

Hash: SHA1

On 01/24/2014 10:32 AM, Lennart Poettering wrote:
> On Fri, 24.01.14 10:22, Daniel J Walsh (dwalsh at redhat.com) wrote:
> Heya,
> Do we really need a service for this? Can't this be done instead via a 
> tmpfiles snippet that uses "f" and the extra argument at the end?
No I did not know that tmpfiles.d did this.  I will look into using that.
> I mean I am not convinced it's worth involving shell here. Also the 
> canonical way to write things to /proc or /sys is 
> {/etc,/usr/lib/}/sysctl.d/ and {/etc,/usr/lib/}/tmpfiles.d/ if it's simple
> and static. And I don't see why we shouldn't do this differently in this
> case than in all others...
> If you would ship a simple tmpfiles snippet in /usr/lib/tmpfiles.d/, then
> users who want to opt out of this could simply symlink the file to 
> /dev/null in /etc/tmpfiles.d/.

>> I wrote a systemd unit file to enable it, and to allow a user to disable
>> the feature if he wants.
>> # cat /usr/lib/systemd/system/selinux-checkreqprot.service [Unit] 
>> Description=SELinux check actual protection flags applied by kernel,
>> rather than checking what application requested.
>> [Service] Type=oneshot RemainAfterExit=yes Environment="CHECKREQPROT=0" 
>> EnvironmentFile=-/etc/selinux/config ExecStart=/bin/sh -c '/bin/echo
>> $CHECKREQPROT > /sys/fs/selinux/checkreqprot'
>> I would like to enable this service on the post install of a initial
>> install of libselinux.  But I believe this will not happen with
>> %systemd_post_enable selinux-checkreqprot.service
>> How would I go about doing this?
>> I know there is one problem in the unit file, it will fail if 
>> /sys/fs/selinux/checkreqprot, does not exist.  Is their an easy check to
>> just exit if this file does not exist?
>> Also is using a unit file for this, the best way to handle this?
> Lennart

Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the devel mailing list