[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    New init system hitting a distro near you.
From:       Daniel J Walsh <dwalsh () redhat ! com>
Date:       2010-06-18 19:34:44
Message-ID: 4C1BCA54.20005 () redhat ! com
[Download RAW message or body]

http://0pointer.de/blog/projects/systemd.html

This has interesting ramifications for SELinux.  I have a working 
version of this in Fedora 14, but we need to add rules like

allow sshd_t init_t:tcp_socket { getopt ioctl getattr setopt };

Since systemd will be doing the listening and passing the socket to sshd.

Could we have risks of sshd_t grabbing the tcp_socket connected to 
httpd_t?

In this scenario we are no longer protecting against the name_bind, and 
are forced to put more trust into init_t.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]