mirror of
https://github.com/systemd/systemd.git
synced 2025-01-11 09:18:07 +03:00
nspawn,man: use a common vocabulary when referring to selinux security contexts
Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
This commit is contained in:
Lennart Poettering
parent
0d3f7bb3a5
commit
82adf6af7c
@ -333,7 +333,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|||||||
but will check the bounding capabilities mask.</para>
|
but will check the bounding capabilities mask.</para>
|
||||||
|
|
||||||
<para><function>sd_bus_creds_get_selinux_context</function> will
|
<para><function>sd_bus_creds_get_selinux_context</function> will
|
||||||
retrieve the SELinux context of the process.</para>
|
retrieve the SELinux security context (label) of the process.</para>
|
||||||
|
|
||||||
<para><function>sd_bus_creds_get_audit_session_id</function> will
|
<para><function>sd_bus_creds_get_audit_session_id</function> will
|
||||||
retrieve the audit session identifier of the process.</para>
|
retrieve the audit session identifier of the process.</para>
|
||||||
|
|||||||
@ -249,23 +249,23 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-L</option></term>
|
<term><option>-Z</option></term>
|
||||||
<term><option>--apifs-label=</option></term>
|
<term><option>--selinux-context=</option></term>
|
||||||
|
|
||||||
<listitem><para>Sets the mandatory
|
<listitem><para>Sets the SELinux
|
||||||
access control (MAC/SELinux) file
|
security context to be used to label
|
||||||
label to be used by virtual API file
|
processes in the container.</para>
|
||||||
systems in the container.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-Z</option></term>
|
<term><option>-L</option></term>
|
||||||
<term><option>--process-label=</option></term>
|
<term><option>--selinux-apifs-context=</option></term>
|
||||||
|
|
||||||
<listitem><para>Sets the mandatory
|
<listitem><para>Sets the SELinux security
|
||||||
access control (MAC/SELinux) label to be used by
|
context to be used to label files in
|
||||||
processes in the container.</para>
|
the virtual API file systems in the
|
||||||
|
container.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -495,7 +495,7 @@
|
|||||||
<programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
|
<programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
|
||||||
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
|
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
|
||||||
|
|
||||||
<para>This runs a container with SELinux sandbox labels.</para>
|
<para>This runs a container with SELinux sandbox security contexts.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|||||||
@ -953,12 +953,16 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>SELinuxContext=</varname></term>
|
<term><varname>SELinuxContext=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Set the SELinux context of the
|
<listitem><para>Set the SELinux
|
||||||
executed process. If set, this will override the
|
security context of the executed
|
||||||
automated domain transition. However, the policy
|
process. If set, this will override
|
||||||
still need to autorize the transition. This directive
|
the automated domain
|
||||||
is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
|
transition. However, the policy still
|
||||||
all errors will be ignored. See
|
needs to autorize the transition. This
|
||||||
|
directive is ignored if SELinux is
|
||||||
|
disabled. If prefixed by
|
||||||
|
<literal>-</literal>, all errors will
|
||||||
|
be ignored. See
|
||||||
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
for details.</para></listitem>
|
for details.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@ -244,8 +244,8 @@
|
|||||||
<term><varname>_SELINUX_CONTEXT=</varname></term>
|
<term><varname>_SELINUX_CONTEXT=</varname></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The SELinux security
|
<para>The SELinux security
|
||||||
context of the process the
|
context (label) of the process
|
||||||
journal entry originates
|
the journal entry originates
|
||||||
from.</para>
|
from.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|||||||
@ -174,7 +174,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
|
|||||||
adjust its access mode, group
|
adjust its access mode, group
|
||||||
and user to the specified
|
and user to the specified
|
||||||
values and reset the SELinux
|
values and reset the SELinux
|
||||||
label. If it does not exist, do
|
security context. If it does not exist, do
|
||||||
nothing.</para></listitem>
|
nothing.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -242,7 +242,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>z</varname></term>
|
<term><varname>z</varname></term>
|
||||||
<listitem><para>Restore
|
<listitem><para>Restore
|
||||||
SELinux security context label
|
SELinux security context
|
||||||
and set ownership and access
|
and set ownership and access
|
||||||
mode of a file or directory if
|
mode of a file or directory if
|
||||||
it exists. Lines of this type
|
it exists. Lines of this type
|
||||||
@ -255,7 +255,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
|
|||||||
<term><varname>Z</varname></term>
|
<term><varname>Z</varname></term>
|
||||||
<listitem><para>Recursively
|
<listitem><para>Recursively
|
||||||
restore SELinux security
|
restore SELinux security
|
||||||
context label and set
|
context and set
|
||||||
ownership and access mode of a
|
ownership and access mode of a
|
||||||
path and all its
|
path and all its
|
||||||
subdirectories (if it is a
|
subdirectories (if it is a
|
||||||
|
|||||||
@ -2123,7 +2123,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
|
|||||||
fprintf(f,
|
fprintf(f,
|
||||||
"%sSELinuxContext: %s\n",
|
"%sSELinuxContext: %s\n",
|
||||||
prefix, c->selinux_context);
|
prefix, c->selinux_context);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void exec_status_start(ExecStatus *s, pid_t pid) {
|
void exec_status_start(ExecStatus *s, pid_t pid) {
|
||||||
|
|||||||
@ -80,8 +80,8 @@ static char *arg_directory = NULL;
|
|||||||
static char *arg_user = NULL;
|
static char *arg_user = NULL;
|
||||||
static sd_id128_t arg_uuid = {};
|
static sd_id128_t arg_uuid = {};
|
||||||
static char *arg_machine = NULL;
|
static char *arg_machine = NULL;
|
||||||
static char *arg_process_label = NULL;
|
static char *arg_selinux_context = NULL;
|
||||||
static char *arg_apifs_label = NULL;
|
static char *arg_selinux_apifs_context = NULL;
|
||||||
static const char *arg_slice = NULL;
|
static const char *arg_slice = NULL;
|
||||||
static bool arg_private_network = false;
|
static bool arg_private_network = false;
|
||||||
static bool arg_read_only = false;
|
static bool arg_read_only = false;
|
||||||
@ -131,10 +131,12 @@ static int help(void) {
|
|||||||
" --uuid=UUID Set a specific machine UUID for the container\n"
|
" --uuid=UUID Set a specific machine UUID for the container\n"
|
||||||
" -M --machine=NAME Set the machine name for the container\n"
|
" -M --machine=NAME Set the machine name for the container\n"
|
||||||
" -S --slice=SLICE Place the container in the specified slice\n"
|
" -S --slice=SLICE Place the container in the specified slice\n"
|
||||||
" -L --apifs-label=LABEL Set the MAC file label to be used by API/tmpfs file\n"
|
" -Z --selinux-context=SECLABEL\n"
|
||||||
" systems in the container\n"
|
" Set the SELinux security context to be used by\n"
|
||||||
" -Z --process-label=LABEL Set the MAC label to be used by processes in\n"
|
" processes in the container\n"
|
||||||
" the container\n"
|
" -L --selinux-apifs-context=SECLABEL\n"
|
||||||
|
" Set the SELinux security context to be used by\n"
|
||||||
|
" API/tmpfs file systems in the container\n"
|
||||||
" --private-network Disable network in container\n"
|
" --private-network Disable network in container\n"
|
||||||
" --read-only Mount the root directory read-only\n"
|
" --read-only Mount the root directory read-only\n"
|
||||||
" --capability=CAP In addition to the default, retain specified\n"
|
" --capability=CAP In addition to the default, retain specified\n"
|
||||||
@ -184,8 +186,8 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
{ "machine", required_argument, NULL, 'M' },
|
{ "machine", required_argument, NULL, 'M' },
|
||||||
{ "slice", required_argument, NULL, 'S' },
|
{ "slice", required_argument, NULL, 'S' },
|
||||||
{ "setenv", required_argument, NULL, ARG_SETENV },
|
{ "setenv", required_argument, NULL, ARG_SETENV },
|
||||||
{ "process-label", required_argument, NULL, 'Z' },
|
{ "selinux-context", required_argument, NULL, 'Z' },
|
||||||
{ "apifs-label", required_argument, NULL, 'L' },
|
{ "selinux-apifs-context", required_argument, NULL, 'L' },
|
||||||
{ "quiet", no_argument, NULL, 'q' },
|
{ "quiet", no_argument, NULL, 'q' },
|
||||||
{}
|
{}
|
||||||
};
|
};
|
||||||
@ -261,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'L':
|
case 'Z':
|
||||||
arg_apifs_label = optarg;
|
arg_selinux_context = optarg;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'Z':
|
case 'L':
|
||||||
arg_process_label = optarg;
|
arg_selinux_apifs_context = optarg;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case ARG_READ_ONLY:
|
case ARG_READ_ONLY:
|
||||||
@ -449,8 +451,9 @@ static int mount_all(const char *dest) {
|
|||||||
mkdir_p(where, 0755);
|
mkdir_p(where, 0755);
|
||||||
|
|
||||||
#ifdef HAVE_SELINUX
|
#ifdef HAVE_SELINUX
|
||||||
if (arg_apifs_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
|
if (arg_selinux_apifs_context &&
|
||||||
options = strjoin(mount_table[k].options, ",context=\"", arg_apifs_label, "\"", NULL);
|
(streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
|
||||||
|
options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
|
||||||
if (!options)
|
if (!options)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
@ -1535,9 +1538,9 @@ int main(int argc, char *argv[]) {
|
|||||||
env_use = (char**) envp;
|
env_use = (char**) envp;
|
||||||
|
|
||||||
#ifdef HAVE_SELINUX
|
#ifdef HAVE_SELINUX
|
||||||
if (arg_process_label)
|
if (arg_selinux_context)
|
||||||
if (setexeccon(arg_process_label) < 0)
|
if (setexeccon(arg_selinux_context) < 0)
|
||||||
log_error("setexeccon(\"%s\") failed: %m", arg_process_label);
|
log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
|
||||||
#endif
|
#endif
|
||||||
if (arg_boot) {
|
if (arg_boot) {
|
||||||
char **a;
|
char **a;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user