I want to turn on a part of the kernel to make SELinux checking more stringent.
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 24 15:52:32 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2014 10:32 AM, Lennart Poettering wrote:
> On Fri, 24.01.14 10:22, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
> Heya,
>
> Do we really need a service for this? Can't this be done instead via a
> tmpfiles snippet that uses "f" and the extra argument at the end?
>
No I did not know that tmpfiles.d did this. I will look into using that.
> I mean I am not convinced it's worth involving shell here. Also the
> canonical way to write things to /proc or /sys is
> {/etc,/usr/lib/}/sysctl.d/ and {/etc,/usr/lib/}/tmpfiles.d/ if it's simple
> and static. And I don't see why we shouldn't do this differently in this
> case than in all others...
>
> If you would ship a simple tmpfiles snippet in /usr/lib/tmpfiles.d/, then
> users who want to opt out of this could simply symlink the file to
> /dev/null in /etc/tmpfiles.d/.
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> I wrote a systemd unit file to enable it, and to allow a user to disable
>> the feature if he wants.
>>
>> # cat /usr/lib/systemd/system/selinux-checkreqprot.service [Unit]
>> Description=SELinux check actual protection flags applied by kernel,
>> rather than checking what application requested.
>>
>> [Service] Type=oneshot RemainAfterExit=yes Environment="CHECKREQPROT=0"
>> EnvironmentFile=-/etc/selinux/config ExecStart=/bin/sh -c '/bin/echo
>> $CHECKREQPROT > /sys/fs/selinux/checkreqprot'
>>
>>
>> I would like to enable this service on the post install of a initial
>> install of libselinux. But I believe this will not happen with
>>
>> %systemd_post_enable selinux-checkreqprot.service
>>
>> How would I go about doing this?
>>
>> I know there is one problem in the unit file, it will fail if
>> /sys/fs/selinux/checkreqprot, does not exist. Is their an easy check to
>> just exit if this file does not exist?
>>
>> Also is using a unit file for this, the best way to handle this?
>
> Lennart
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLijEAACgkQrlYvE4MpobMm5gCfebHFEnypgZbZy0fVSR1Omz0I
0N8An3c4B9rP8hpV0Jkla8bQIXATzpT4
=KUxo
-----END PGP SIGNATURE-----
More information about the devel
mailing list