Skip to content

Commit

Permalink
mcstrans: start early and stop late
Browse files Browse the repository at this point in the history 
It stopped too early, exposing a bug in sudo selinux_restore_tty():

SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
avc:  denied  { mac_admin } for  pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0

If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP

v2: stop late, but do stop
Signed-off-by: Dominick Grift <dac.override@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
  • Loading branch information
@bachradsusi
Dominick Grift authored and bachradsusi committed May 13, 2020
1 parent c2c2dc6 commit 8c1282b
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions mcstrans/src/mcstrans.service
View file
Expand Up @@ -2,6 +2,9 @@
Description=Translates SELinux MCS/MLS labels to human readable form
Documentation=man:mcstransd(8)
ConditionSecurity=selinux
DefaultDependencies=no
Before=shutdown.target sysinit.target
Conflicts=shutdown.target

[Service]
ExecStart=/sbin/mcstransd -f
Expand Down

0 comments on commit 8c1282b

Please sign in to comment.