* systemd - selinux: relax error handling in permissive mode
@ 2025-04-01 11:14 Petr Lautrbach
0 siblings, 0 replies; only message in thread
From: Petr Lautrbach @ 2025-04-01 11:14 UTC (permalink / raw)
To: selinux
Hi,
there's a pull request on systemd [1] which tries to fix systemd so it
does not fail to run services in permissive mode when the filesystem is
mislabeled, see the commit message bellow. If you are interested, please
take a look
[1] https://github.com/systemd/systemd/pull/36929
@msekletar selinux: relax error handling in permissive mode
Error returned from security_compute_create_raw() means that kernel
couldn't compute target context. Very likely because file context is not
known to the policy, i.e. security.selinux xattr contains some garbage
value and we are running in permissive mode, otherwise returned context
would be "unlabeled_t" instead of getting an error.
mac_selinux_get_create_label_from_exe() is used to figure out create
label for socket units and we fail to start the socket if we can't
figure out that label.
However, it may be necessary to start some sockets in order to get to
the point when we launch the service that relabels (in permissive mode)
the entire filesystem and reboots.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-04-01 11:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-01 11:14 systemd - selinux: relax error handling in permissive mode Petr Lautrbach
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox