From: Petr Lautrbach <plautrba@redhat.com>
To: "Paul Moore" <paul@paul-moore.com>,
"Christian Göttsche" <cgzones@googlemail.com>,
selinux@vger.kernel.org, selinux-refpolicy@vger.kernel.org
Cc: Lennart Poettering <lennart@poettering.net>
Subject: Re: SELinux and systemd integration
Date: Fri, 16 Jun 2023 07:43:27 +0200 [thread overview]
Message-ID: <87r0qcotc0.fsf@redhat.com> (raw)
In-Reply-To: <CAHC9VhRAXQyzG7OsgXQfWT09qEFQRmeN2foGLGnU8cHdRKePUA@mail.gmail.com>
Paul Moore <paul@paul-moore.com> writes:
> Hello all,
>
> Amongst Christian's various other SELinux contributions, over the past
> several years Christian has been working on improving the SELinux
> integration in systemd. One of the things that Christian has been
> working on is revamping the SELinux permissions that systemd uses for
> unitfile operations, both to resolve problems and generally improve
> the mapping of permissions to systemd operations. As this work has
> been languishing for several years, I would like to see if we can get
> things "unstuck" by proposing two things:
>
> 1. I've provided links to the systemd GH PRs below, but I think it
> might be helpful if Christian could provide a quick summary of the new
> permissions, how they map to systemd operations, and how they map to
> the existing SELinux/systemd permissions with a focus on helping
> policy developers migrate existing SELinux policies.
>
> 2. Given the significance of systemd to modern Linux distributions, I
> think it might be a good idea if we selected a SELinux "liaison" for
> the systemd project. This person, or group of people, would work with
> the systemd folks to keep the SELinux integration in good working
> order, review systemd code as necessary, and help represent the
> SELinux project within systemd.
>
> How does that sound to everyone? If we are in agreement on #2, and
> assuming he would be willing to help out, I would like to nominate
> Christian as our SELinux liaison to systemd; any objections? Anyone
> else interested in helping out?
I agree with the Christian's nomination.
As for #1, I looked on both, but I have to admit that I had a lack of
understanding of the problem and so I would need some time to get
into it. Therefore I postponed it due to other priorities, (but never
come back). If it's still open I'll focus on it next week.
> For reference, Christian's systemd PRs on GH:
> * https://github.com/systemd/systemd/pull/10023
> * https://github.com/systemd/systemd/pull/20387
>
Thanks,
Petr
next prev parent reply other threads:[~2023-06-16 5:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-14 19:33 SELinux and systemd integration Paul Moore
2023-06-16 5:43 ` Petr Lautrbach [this message]
2023-06-17 18:08 ` Christian Göttsche
2023-06-19 21:58 ` Paul Moore
2023-06-19 21:54 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0qcotc0.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=cgzones@googlemail.com \
--cc=lennart@poettering.net \
--cc=paul@paul-moore.com \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.