1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Backports of patch from systemd git to stable distributions
Go to file
Ted X. Toth 29dbc62d74 manager: use target process context to set socket context
Use target process context to set socket context when using SELinuxContextFromNet
not systemd's context. Currently when using the SELinuxContextFromNet option for
a socket activated services, systemd calls getcon_raw which returns init_t and
uses the resulting context to compute the context to be passed to the
setsockcreatecon call. A socket of type init_t is created and listened on and
this means that SELinux policy cannot be written to control which processes
(SELinux types) can connect to the socket since the ref policy allows all
'types' to connect to sockets of the type init_t. When security accessors see
that any process can connect to a socket this raises serious concerns. I have
spoken with SELinux contributors in person and on the mailing list and the
consensus is that the best solution is to use the target executables context
when computing the sockets context in all cases.

[zjs review/comment:

This removes the branch that was added in 16115b0a7b.
16115b0a7b did two things: it had the branch here
in 'socket_determine_selinux_label()' and a code in 'exec_child()' to call
'label_get_child_mls_label(socket_fd, command->path, &label)'.

Before this patch, the flow was:
'''
mac_selinux_get_child_mls_label:
  peercon = getpeercon_raw(socket_fd);
  if (!exec_label)
     exec_label = getfilecon_raw(exe);

socket_open_fds:
  if (params->selinux_context_net)                 #
     label = mac_selinux_get_our_label();          #  this part is removed
  else                                             #
     label = mac_selinux_get_create_label_from_exe(path);
  socket_address_listen_in_cgroup(s, &p->address, label);

exec_child():
   exec_context = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context);
   setexeccon(exec_context);
'''
]
2022-10-18 11:31:22 +02:00
.clusterfuzzlite ci: unpin CFLite 2022-04-26 09:13:57 +00:00
.github mkosi: Switch to Fedora 37 2022-10-17 16:02:16 +02:00
.semaphore semaphore: run autopkgtest with sudo 2022-08-11 13:36:15 +02:00
catalog man: reword some awkward sentences 2022-10-14 15:56:58 +02:00
coccinelle basic/list: drop LIST_IS_EMPTY 2022-07-02 12:46:16 +02:00
docs tree-wide: replace "plural(s)" by "plurals" 2022-10-17 15:10:53 +02:00
factory meson: also allow setting GIT_VERSION via templates 2022-04-05 22:18:31 +02:00
hwdb.d Update hwdb 2022-10-07 11:00:28 +02:00
LICENSES network: license all config files as CC0 2022-01-12 16:05:59 +01:00
man Merge pull request #25035 from keszybz/manager-method-names 2022-10-17 23:11:13 +02:00
mkosi.default.d mkosi: Switch to Fedora 37 2022-10-17 16:02:16 +02:00
modprobe.d meson: install the right README file in modprobe.d 2021-07-07 14:52:05 +02:00
network network: add example file that enables DHCP on ethernet links 2022-01-12 16:05:59 +01:00
po po: Translated using Weblate (Hungarian) 2022-08-10 06:04:56 +09:00
presets units: enable systemd-network-generator by default 2021-12-16 09:49:39 +01:00
rules.d udev-builtin-kmod: support to run without arguments 2022-10-14 21:32:24 +09:00
shell-completion tree-wide: replace "plural(s)" by "plurals" 2022-10-17 15:10:53 +02:00
src manager: use target process context to set socket context 2022-10-18 11:31:22 +02:00
sysctl.d tree-wide: link to docs.kernel.org for kernel documentation 2022-07-04 19:56:53 +02:00
sysusers.d Use descriptive name for nobody 2022-05-27 22:09:24 +01:00
test test: call sync() before checking the test logs 2022-10-17 20:24:24 +00:00
tmpfiles.d tree-wide: replace "plural(s)" by "plurals" 2022-10-17 15:10:53 +02:00
tools docs/DPS: use the SD_GPT_* constants here too 2022-09-21 15:30:31 +02:00
units pcrphase: add two additional phases 2022-10-17 12:09:43 +02:00
xorg xorg/50-systemd-user: add a full license header 2021-10-01 14:45:00 +02:00
.clang-format clang-format: Adjust style of pointers 2022-05-30 04:00:54 +09:00
.ctags editors: Prevent ctags from following symlinks 2019-02-15 11:01:20 -08:00
.dir-locals.el scripts: use 4 space indentation 2019-04-12 08:30:31 +02:00
.editorconfig docs: configure editorconfig for css and html 2022-05-17 21:13:17 +02:00
.gitattributes gitattributes: introduce and use "generated" attribute 2021-10-18 09:42:55 +02:00
.gitignore core/cgroup: CPUWeight/CPUShares support idle input 2022-08-11 14:25:58 +02:00
.mailmap mailmap: two more names 2021-03-30 13:17:58 +02:00
.packit.yml Packit: build SRPMs in Copr 2022-03-09 09:52:41 +00:00
.vimrc scripts: use 4 space indentation 2019-04-12 08:30:31 +02:00
.ycm_extra_conf.py ycm: add doc string for all the functions in configuration file 2017-11-29 13:21:49 -07:00
configure tools: shellcheck-ify tool scripts 2021-09-30 12:27:06 +02:00
LICENSE.GPL2 relicense to LGPLv2.1 (with exceptions) 2012-04-12 00:24:39 +02:00
LICENSE.LGPL2.1 licence: remove references to old FSF address 2012-12-17 11:41:31 +01:00
Makefile tree-wide: add spdx header on all scripts and helpers 2021-01-28 09:55:35 +01:00
meson_options.txt core: allow disabling system time correction if rtc returns time far in the future 2022-08-24 21:39:46 +01:00
meson.build qrcode-util: Add support for libqrencode 3.0 2022-10-17 08:45:16 +02:00
mkosi.build mkosi: Make sure bpf-framework works on CentOS Stream 8 as well 2022-10-17 08:45:48 +02:00
mkosi.postinst mkosi: Ensure we build all features/components in mkosi 2022-08-23 15:19:26 +02:00
NEWS Merge pull request #25036 from keszybz/plurals 2022-10-17 17:12:16 +02:00
README README: Fix libbpf minimum version 2022-10-17 08:45:16 +02:00
README.md README: drop graphs counting issues or PRs 2022-09-23 18:29:22 +09:00
TODO Update TODO 2022-10-17 16:10:42 +02:00

Systemd

System and Service Manager

Semaphore CI 2.0 Build Status
Coverity Scan Status
OSS-Fuzz Status
CIFuzz
CII Best Practices
CentOS CI - CentOS 8
CentOS CI - Arch
CentOS CI - Arch (sanitizers)
CentOS CI - Rawhide (SELinux)
Fossies codespell report
Coverage Status
Packaging status

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list or join our IRC channel.

Stable branches with backported patches are available in the stable repo.