diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2021-11-12 00:33:01 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-11-12 17:17:21 +0100 |
commit | 006d1864fb7f7a880e8bb22ad7547a3c2fcb1db8 (patch) | |
tree | d0ef2216e8bec3f30b2adda3be45132d886414e5 /man/systemd.exec.xml | |
parent | b01ee585c9c2b538294c8de0036e5d384baeaa2c (diff) | |
download | systemd-006d1864fb7f7a880e8bb22ad7547a3c2fcb1db8.tar.gz |
execute: always log a warning when setting SELinux context fails
Update also manual page to explain how the transition can still fail.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r-- | man/systemd.exec.xml | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index ecfaef3dfa..aea7116e29 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -730,10 +730,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <listitem><para>Set the SELinux security context of the executed process. If set, this will override the automated domain transition. However, the policy still needs to authorize the transition. This directive is - ignored if SELinux is disabled. If prefixed by <literal>-</literal>, all errors will be ignored. This does not - affect commands prefixed with <literal>+</literal>. See <citerefentry - project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> for - details.</para></listitem> + ignored if SELinux is disabled. If prefixed by <literal>-</literal>, failing to set the SELinux + security context will be ignored, but it's still possible that the subsequent + <function>execve()</function> may fail if the policy doesn't allow the transition for the + non-overridden context. This does not affect commands prefixed with <literal>+</literal>. See + <citerefentry + project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> + for details.</para></listitem> </varlistentry> <varlistentry> |