mcstrans: start early and stop late
It stopped too early, exposing a bug in sudo selinux_restore_tty():
SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0
If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP
v2: stop late, but do stop
Signed-off-by: Dominick Grift <dac.override@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
This commit is contained in:
Dominick Grift
Petr Lautrbach
parent
c2c2dc610c
commit
8c1282b0ec
1 changed files with 3 additions and 0 deletions
|
|
@ -2,6 +2,9 @@
|
|||
Description=Translates SELinux MCS/MLS labels to human readable form
|
||||
Documentation=man:mcstransd(8)
|
||||
ConditionSecurity=selinux
|
||||
DefaultDependencies=no
|
||||
Before=shutdown.target sysinit.target
|
||||
Conflicts=shutdown.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/sbin/mcstransd -f
|
||||
|
|
|
|||
Loading…
Reference in a new issue