shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-11 09:18:07 +03:00
Code

nspawn,man: use a common vocabulary when referring to selinux security contexts

Browse Source 
Let's always call the security labels the same way:

  SMACK: "Smack Label"
  SELINUX: "SELinux Security Context"

And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
This commit is contained in:
Lennart Poettering 2014-02-10 12:32:03 +01:00
parent 0d3f7bb3a5
commit 82adf6af7c
7 changed files with 65 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
man/sd_bus_creds_get_pid.xml
View File

@ -333,7 +333,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
but will check the bounding capabilities mask.</para> but will check the bounding capabilities mask.</para>
<para><function>sd_bus_creds_get_selinux_context</function> will <para><function>sd_bus_creds_get_selinux_context</function> will
retrieve the SELinux context of the process.</para> retrieve the SELinux security context (label) of the process.</para>
<para><function>sd_bus_creds_get_audit_session_id</function> will <para><function>sd_bus_creds_get_audit_session_id</function> will
retrieve the audit session identifier of the process.</para> retrieve the audit session identifier of the process.</para>

24
man/systemd-nspawn.xml
View File

@ -249,23 +249,23 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><option>-L</option></term> <term><option>-Z</option></term>
<term><option>--apifs-label=</option></term> <term><option>--selinux-context=</option></term>
<listitem><para>Sets the mandatory <listitem><para>Sets the SELinux
access control (MAC/SELinux) file security context to be used to label
label to be used by virtual API file processes in the container.</para>
systems in the container.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><option>-Z</option></term> <term><option>-L</option></term>
<term><option>--process-label=</option></term> <term><option>--selinux-apifs-context=</option></term>
<listitem><para>Sets the mandatory <listitem><para>Sets the SELinux security
access control (MAC/SELinux) label to be used by context to be used to label files in
processes in the container.</para> the virtual API file systems in the
container.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -495,7 +495,7 @@
<programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
<para>This runs a container with SELinux sandbox labels.</para> <para>This runs a container with SELinux sandbox security contexts.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

16
man/systemd.exec.xml
View File

@ -953,12 +953,16 @@
<varlistentry> <varlistentry>
<term><varname>SELinuxContext=</varname></term> <term><varname>SELinuxContext=</varname></term>
<listitem><para>Set the SELinux context of the <listitem><para>Set the SELinux
executed process. If set, this will override the security context of the executed
automated domain transition. However, the policy process. If set, this will override
still need to autorize the transition. This directive the automated domain
is ignored if SELinux is disabled. If prefixed by <literal>-</literal>, transition. However, the policy still
all errors will be ignored. See needs to autorize the transition. This
directive is ignored if SELinux is
disabled. If prefixed by
<literal>-</literal>, all errors will
be ignored. See
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem> for details.</para></listitem>
</varlistentry> </varlistentry>

4
man/systemd.journal-fields.xml
View File

@ -244,8 +244,8 @@
<term><varname>_SELINUX_CONTEXT=</varname></term> <term><varname>_SELINUX_CONTEXT=</varname></term>
<listitem> <listitem>
<para>The SELinux security <para>The SELinux security
context of the process the context (label) of the process
journal entry originates the journal entry originates
from.</para> from.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
man/tmpfiles.d.xml
View File

@ -174,7 +174,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
adjust its access mode, group adjust its access mode, group
and user to the specified and user to the specified
values and reset the SELinux values and reset the SELinux
label. If it does not exist, do security context. If it does not exist, do
nothing.</para></listitem> nothing.</para></listitem>
</varlistentry> </varlistentry>
@ -242,7 +242,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
<varlistentry> <varlistentry>
<term><varname>z</varname></term> <term><varname>z</varname></term>
<listitem><para>Restore <listitem><para>Restore
SELinux security context label SELinux security context
and set ownership and access and set ownership and access
mode of a file or directory if mode of a file or directory if
it exists. Lines of this type it exists. Lines of this type
@ -255,7 +255,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
<term><varname>Z</varname></term> <term><varname>Z</varname></term>
<listitem><para>Recursively <listitem><para>Recursively
restore SELinux security restore SELinux security
context label and set context and set
ownership and access mode of a ownership and access mode of a
path and all its path and all its
subdirectories (if it is a subdirectories (if it is a

1
src/core/execute.c
View File

@ -2123,7 +2123,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
fprintf(f, fprintf(f,
"%sSELinuxContext: %s\n", "%sSELinuxContext: %s\n",
prefix, c->selinux_context); prefix, c->selinux_context);
} }
void exec_status_start(ExecStatus *s, pid_t pid) { void exec_status_start(ExecStatus *s, pid_t pid) {

71
src/nspawn/nspawn.c
View File

@ -80,8 +80,8 @@ static char *arg_directory = NULL;
static char *arg_user = NULL; static char *arg_user = NULL;
static sd_id128_t arg_uuid = {}; static sd_id128_t arg_uuid = {};
static char *arg_machine = NULL; static char *arg_machine = NULL;
static char *arg_process_label = NULL; static char *arg_selinux_context = NULL;
static char *arg_apifs_label = NULL; static char *arg_selinux_apifs_context = NULL;
static const char *arg_slice = NULL; static const char *arg_slice = NULL;
static bool arg_private_network = false; static bool arg_private_network = false;
static bool arg_read_only = false; static bool arg_read_only = false;
@ -131,10 +131,12 @@ static int help(void) {
" --uuid=UUID Set a specific machine UUID for the container\n" " --uuid=UUID Set a specific machine UUID for the container\n"
" -M --machine=NAME Set the machine name for the container\n" " -M --machine=NAME Set the machine name for the container\n"
" -S --slice=SLICE Place the container in the specified slice\n" " -S --slice=SLICE Place the container in the specified slice\n"
" -L --apifs-label=LABEL Set the MAC file label to be used by API/tmpfs file\n" " -Z --selinux-context=SECLABEL\n"
" systems in the container\n" " Set the SELinux security context to be used by\n"
" -Z --process-label=LABEL Set the MAC label to be used by processes in\n" " processes in the container\n"
" the container\n" " -L --selinux-apifs-context=SECLABEL\n"
" Set the SELinux security context to be used by\n"
" API/tmpfs file systems in the container\n"
" --private-network Disable network in container\n" " --private-network Disable network in container\n"
" --read-only Mount the root directory read-only\n" " --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n" " --capability=CAP In addition to the default, retain specified\n"
@ -168,25 +170,25 @@ static int parse_argv(int argc, char *argv[]) {
}; };
static const struct option options[] = { static const struct option options[] = {
{ "help", no_argument, NULL, 'h' }, { "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION }, { "version", no_argument, NULL, ARG_VERSION },
{ "directory", required_argument, NULL, 'D' }, { "directory", required_argument, NULL, 'D' },
{ "user", required_argument, NULL, 'u' }, { "user", required_argument, NULL, 'u' },
{ "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
{ "boot", no_argument, NULL, 'b' }, { "boot", no_argument, NULL, 'b' },
{ "uuid", required_argument, NULL, ARG_UUID }, { "uuid", required_argument, NULL, ARG_UUID },
{ "read-only", no_argument, NULL, ARG_READ_ONLY }, { "read-only", no_argument, NULL, ARG_READ_ONLY },
{ "capability", required_argument, NULL, ARG_CAPABILITY }, { "capability", required_argument, NULL, ARG_CAPABILITY },
{ "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
{ "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
{ "bind", required_argument, NULL, ARG_BIND }, { "bind", required_argument, NULL, ARG_BIND },
{ "bind-ro", required_argument, NULL, ARG_BIND_RO }, { "bind-ro", required_argument, NULL, ARG_BIND_RO },
{ "machine", required_argument, NULL, 'M' }, { "machine", required_argument, NULL, 'M' },
{ "slice", required_argument, NULL, 'S' }, { "slice", required_argument, NULL, 'S' },
{ "setenv", required_argument, NULL, ARG_SETENV }, { "setenv", required_argument, NULL, ARG_SETENV },
{ "process-label", required_argument, NULL, 'Z' }, { "selinux-context", required_argument, NULL, 'Z' },
{ "apifs-label", required_argument, NULL, 'L' }, { "selinux-apifs-context", required_argument, NULL, 'L' },
{ "quiet", no_argument, NULL, 'q' }, { "quiet", no_argument, NULL, 'q' },
{} {}
}; };
@ -261,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) {
break; break;
case 'L': case 'Z':
arg_apifs_label = optarg; arg_selinux_context = optarg;
break; break;
case 'Z': case 'L':
arg_process_label = optarg; arg_selinux_apifs_context = optarg;
break; break;
case ARG_READ_ONLY: case ARG_READ_ONLY:
@ -449,8 +451,9 @@ static int mount_all(const char *dest) {
mkdir_p(where, 0755); mkdir_p(where, 0755);
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
if (arg_apifs_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { if (arg_selinux_apifs_context &&
options = strjoin(mount_table[k].options, ",context=\"", arg_apifs_label, "\"", NULL); (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
if (!options) if (!options)
return log_oom(); return log_oom();
@ -1535,9 +1538,9 @@ int main(int argc, char *argv[]) {
env_use = (char**) envp; env_use = (char**) envp;
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
if (arg_process_label) if (arg_selinux_context)
if (setexeccon(arg_process_label) < 0) if (setexeccon(arg_selinux_context) < 0)
log_error("setexeccon(\"%s\") failed: %m", arg_process_label); log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
#endif #endif
if (arg_boot) { if (arg_boot) {
char **a; char **a;