diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-07-12 16:13:40 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-07-20 19:08:28 +0200 |
| commit | 23e9a7dde519694120a493c8600c2168456e8a4f (patch) | |
| tree | 0cb66ef7b3d064d2e7350d8cf671438f2ad07c59 /man/org.freedesktop.systemd1.xml | |
| parent | 74c1cf626730a34fbd2d39ed016db21c9748d944 (diff) | |
| download | systemd-23e9a7dde519694120a493c8600c2168456e8a4f.tar.gz | |
core: cache unit file selinux label, and make decisions based on that
Do not go back to disk on each selinux access, but instead cache the
label off the inode we are actually reading. That way unit file contents
and unit file label we use for access checks are always in sync.
Based on discussions here:
https://github.com/systemd/systemd/pull/10023#issuecomment-1179835586
Replaces:
https://github.com/systemd/systemd/pull/23910
This changes behaviour a bit, because we'll reach and cache the label at
the moment of loading the unit (i.e. usually on boot and reload), but
not after relabelling. Thus, users must refresh the cache explicitly via
a "systemctl daemon-reload" if they relabelled things.
This makes the SELinux story a bit more debuggable, as it adds an
AccessSELinuxContext bus property to units that will report the label we are
using for a unit (or the empty string if not known).
This also drops using the "source" path of a unit as label source. if
there's value in it, then generators should manually copy the selinux
label from the source files onto the generated unit files, so that the
rule that "access labels are read when we read the definition files" is
upheld. But I am not convinced this is really a necessary, good idea.
Diffstat (limited to 'man/org.freedesktop.systemd1.xml')
| -rw-r--r-- | man/org.freedesktop.systemd1.xml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml index 7803cc9cf9..f821d6562a 100644 --- a/man/org.freedesktop.systemd1.xml +++ b/man/org.freedesktop.systemd1.xml @@ -1650,6 +1650,11 @@ node /org/freedesktop/systemd1 { that the root path is encoded as the empty string here (not as <literal>/</literal>!), so that it can be appended to <filename>/sys/fs/cgroup/systemd</filename> easily. This value will be set to the empty string for the host instance and some other string for container instances.</para> + + <para><varname>AccessSELinuxContext</varname> contains the SELinux context that is used to control + access to the unit. It's read from the unit file when it is loaded and cached until the service manager + is reloaded. This property contains an empty string if SELinux is not used or if no label could be read + (for example because the unit is not backed by a file on disk).</para> </refsect2> <refsect2> @@ -1783,6 +1788,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly s Description = '...'; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly s AccessSELinuxContext = '...'; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly s LoadState = '...'; readonly s ActiveState = '...'; readonly s FreezerState = '...'; @@ -2090,6 +2097,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { <variablelist class="dbus-property" generated="True" extra-ref="Description"/> + <variablelist class="dbus-property" generated="True" extra-ref="AccessSELinuxContext"/> + <variablelist class="dbus-property" generated="True" extra-ref="LoadState"/> <variablelist class="dbus-property" generated="True" extra-ref="ActiveState"/> |