1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-11 09:18:07 +03:00

nspawn,man: use a common vocabulary when referring to selinux security contexts

Let's always call the security labels the same way:

  SMACK: "Smack Label"
  SELINUX: "SELinux Security Context"

And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
This commit is contained in:
Lennart Poettering 2014-02-10 12:32:03 +01:00
parent 0d3f7bb3a5
commit 82adf6af7c
7 changed files with 65 additions and 59 deletions

View File

@ -333,7 +333,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
but will check the bounding capabilities mask.</para>
<para><function>sd_bus_creds_get_selinux_context</function> will
retrieve the SELinux context of the process.</para>
retrieve the SELinux security context (label) of the process.</para>
<para><function>sd_bus_creds_get_audit_session_id</function> will
retrieve the audit session identifier of the process.</para>

View File

@ -249,23 +249,23 @@
</varlistentry>
<varlistentry>
<term><option>-L</option></term>
<term><option>--apifs-label=</option></term>
<term><option>-Z</option></term>
<term><option>--selinux-context=</option></term>
<listitem><para>Sets the mandatory
access control (MAC/SELinux) file
label to be used by virtual API file
systems in the container.</para>
<listitem><para>Sets the SELinux
security context to be used to label
processes in the container.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-Z</option></term>
<term><option>--process-label=</option></term>
<term><option>-L</option></term>
<term><option>--selinux-apifs-context=</option></term>
<listitem><para>Sets the mandatory
access control (MAC/SELinux) label to be used by
processes in the container.</para>
<listitem><para>Sets the SELinux security
context to be used to label files in
the virtual API file systems in the
container.</para>
</listitem>
</varlistentry>
@ -495,7 +495,7 @@
<programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
<para>This runs a container with SELinux sandbox labels.</para>
<para>This runs a container with SELinux sandbox security contexts.</para>
</refsect1>
<refsect1>

View File

@ -953,12 +953,16 @@
<varlistentry>
<term><varname>SELinuxContext=</varname></term>
<listitem><para>Set the SELinux context of the
executed process. If set, this will override the
automated domain transition. However, the policy
still need to autorize the transition. This directive
is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
all errors will be ignored. See
<listitem><para>Set the SELinux
security context of the executed
process. If set, this will override
the automated domain
transition. However, the policy still
needs to autorize the transition. This
directive is ignored if SELinux is
disabled. If prefixed by
<literal>-</literal>, all errors will
be ignored. See
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>

View File

@ -244,8 +244,8 @@
<term><varname>_SELINUX_CONTEXT=</varname></term>
<listitem>
<para>The SELinux security
context of the process the
journal entry originates
context (label) of the process
the journal entry originates
from.</para>
</listitem>
</varlistentry>

View File

@ -174,7 +174,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
adjust its access mode, group
and user to the specified
values and reset the SELinux
label. If it does not exist, do
security context. If it does not exist, do
nothing.</para></listitem>
</varlistentry>
@ -242,7 +242,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
<varlistentry>
<term><varname>z</varname></term>
<listitem><para>Restore
SELinux security context label
SELinux security context
and set ownership and access
mode of a file or directory if
it exists. Lines of this type
@ -255,7 +255,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
<term><varname>Z</varname></term>
<listitem><para>Recursively
restore SELinux security
context label and set
context and set
ownership and access mode of a
path and all its
subdirectories (if it is a

View File

@ -2123,7 +2123,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
fprintf(f,
"%sSELinuxContext: %s\n",
prefix, c->selinux_context);
}
void exec_status_start(ExecStatus *s, pid_t pid) {

View File

@ -80,8 +80,8 @@ static char *arg_directory = NULL;
static char *arg_user = NULL;
static sd_id128_t arg_uuid = {};
static char *arg_machine = NULL;
static char *arg_process_label = NULL;
static char *arg_apifs_label = NULL;
static char *arg_selinux_context = NULL;
static char *arg_selinux_apifs_context = NULL;
static const char *arg_slice = NULL;
static bool arg_private_network = false;
static bool arg_read_only = false;
@ -131,10 +131,12 @@ static int help(void) {
" --uuid=UUID Set a specific machine UUID for the container\n"
" -M --machine=NAME Set the machine name for the container\n"
" -S --slice=SLICE Place the container in the specified slice\n"
" -L --apifs-label=LABEL Set the MAC file label to be used by API/tmpfs file\n"
" systems in the container\n"
" -Z --process-label=LABEL Set the MAC label to be used by processes in\n"
" the container\n"
" -Z --selinux-context=SECLABEL\n"
" Set the SELinux security context to be used by\n"
" processes in the container\n"
" -L --selinux-apifs-context=SECLABEL\n"
" Set the SELinux security context to be used by\n"
" API/tmpfs file systems in the container\n"
" --private-network Disable network in container\n"
" --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n"
@ -168,25 +170,25 @@ static int parse_argv(int argc, char *argv[]) {
};
static const struct option options[] = {
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
{ "directory", required_argument, NULL, 'D' },
{ "user", required_argument, NULL, 'u' },
{ "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
{ "boot", no_argument, NULL, 'b' },
{ "uuid", required_argument, NULL, ARG_UUID },
{ "read-only", no_argument, NULL, ARG_READ_ONLY },
{ "capability", required_argument, NULL, ARG_CAPABILITY },
{ "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
{ "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
{ "bind", required_argument, NULL, ARG_BIND },
{ "bind-ro", required_argument, NULL, ARG_BIND_RO },
{ "machine", required_argument, NULL, 'M' },
{ "slice", required_argument, NULL, 'S' },
{ "setenv", required_argument, NULL, ARG_SETENV },
{ "process-label", required_argument, NULL, 'Z' },
{ "apifs-label", required_argument, NULL, 'L' },
{ "quiet", no_argument, NULL, 'q' },
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
{ "directory", required_argument, NULL, 'D' },
{ "user", required_argument, NULL, 'u' },
{ "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
{ "boot", no_argument, NULL, 'b' },
{ "uuid", required_argument, NULL, ARG_UUID },
{ "read-only", no_argument, NULL, ARG_READ_ONLY },
{ "capability", required_argument, NULL, ARG_CAPABILITY },
{ "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
{ "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
{ "bind", required_argument, NULL, ARG_BIND },
{ "bind-ro", required_argument, NULL, ARG_BIND_RO },
{ "machine", required_argument, NULL, 'M' },
{ "slice", required_argument, NULL, 'S' },
{ "setenv", required_argument, NULL, ARG_SETENV },
{ "selinux-context", required_argument, NULL, 'Z' },
{ "selinux-apifs-context", required_argument, NULL, 'L' },
{ "quiet", no_argument, NULL, 'q' },
{}
};
@ -261,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) {
break;
case 'L':
arg_apifs_label = optarg;
case 'Z':
arg_selinux_context = optarg;
break;
case 'Z':
arg_process_label = optarg;
case 'L':
arg_selinux_apifs_context = optarg;
break;
case ARG_READ_ONLY:
@ -449,8 +451,9 @@ static int mount_all(const char *dest) {
mkdir_p(where, 0755);
#ifdef HAVE_SELINUX
if (arg_apifs_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
options = strjoin(mount_table[k].options, ",context=\"", arg_apifs_label, "\"", NULL);
if (arg_selinux_apifs_context &&
(streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
if (!options)
return log_oom();
@ -1535,9 +1538,9 @@ int main(int argc, char *argv[]) {
env_use = (char**) envp;
#ifdef HAVE_SELINUX
if (arg_process_label)
if (setexeccon(arg_process_label) < 0)
log_error("setexeccon(\"%s\") failed: %m", arg_process_label);
if (arg_selinux_context)
if (setexeccon(arg_selinux_context) < 0)
log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
#endif
if (arg_boot) {
char **a;