Hi all, Most of you are probably aware that systemd except running as PID 1 also runs inside user sessions. This allow users to define their own "user services" and start up various scripts and background processes right after logging in.
In default targeted policy PID 1 runs with init_t SELinux label and --user instances of systemd are not confined by SELinux, i.e. running with unconfined_t. During Flock I got asked whether we can change that and run systemd --user instances in some confined domain. Fixing this on systemd side should be trivial, i.e. we would have to add SELinuxContext= option with appropriate value to /usr/lib/systemd/system/user@.service (unit file used for spawning user instances of systemd). I am writing this email with a hope that we can discuss if above proposal even makes sense (what are possible gains from system security perspective) and if yes what is appropriate SELinux label to use (I guess we would need new one and define policy for it). Michal -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
