Le vendredi 03 janvier 2014 à 00:58 +0000, "Jóhann B. Guðmundsson" a écrit : > On 12/28/2013 01:30 PM, Lennart Poettering wrote: > > On Fri, 27.12.13 23:26,m...@zarb.org (m...@zarb.org) wrote: > > > >> >From: Michael Scherer<m...@zarb.org> > >> > > >> >This permit to let system administrators decide of the domain of a > >> >service. > >> >This can be used with templated units to have each service in a différent > >> >domain ( for example, a per customer database, using MLS or anything ), > >> >or can be used to force a non selinux enabled system (jvm, erlang, etc) > >> >to start in a different domain for each service. > > Hmm, so far (as I understood it) the SELinux guys always wanted to make > > sure that label configuration stays in the the selinux database and > > nowhere else. > > Right and if you add this you need to add something for the other > security solutions as well ( apparmor etc ).
I do not see why we need to equally support all MAC frameworks for each change we do. And while I am familiar enough with apparmor to create a equivalent setting ( and plan to do ), I have no idea on how to translate the concept for smack, ima and tomoyo. In fact, the mere fact that tomoyo is not handled at all already show that we do treat all security framework as equal. > This introduces yet another place for administrators to look at while > debugging problems so the question to ask here is. > > Is adding this ability to unit files the right way to solve what's > trying to be solved here? As Dan said, yes. Usually, the type of transition from 1 domain to another is done at the kernel level based on the label of the file executed. See https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context and http://danwalsh.livejournal.com/23944.html However, as said, there is some case where the approach of making the transition based on the executed filename is not sufficient. For example, the erlang vm, the jvm, etc, because each software will run in the same domain, in different processes, because that's always the same jvm being used. See the bug I mentioned before. Now, if you have a more precise feedback and/or a better proposal, I am ready to hear of it, but the only alternative I see is to make the JVM, erlang, etc, to be SELinux aware. That's a much bigger task, and I am not sure that's worth the code duplication ( not to mention that it make sysadmin look in several different places ). And the design I was thinking of ( ie, replicated the current system of doing transition based on file label ) would requires reimplementing the kernel code in userspace, in libselinux, and I would rather avoid this for various reasons ( security, code duplication avoidance ). Another solution would be to create shell wrapper for every java, erlang and mono software, and then use process transition on the shell wrapper, but that doesn't scale that well and do not offer the flexibility of the current patch to the sysadmin. ( and would likely be Fedora specific as well ). -- Michael Scherer _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel