nspawn,man: use a common vocabulary when referring to selinux security contexts

Let's always call the security labels the same way:

  SMACK: "Smack Label"
  SELINUX: "SELinux Security Context"

And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.

diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml
index 40de81f82e202d91ca07fcf07387536698b84dd8..d33533170f282295e05c225f02065a4d3ea82309 100644 (file)
--- a/man/sd_bus_creds_get_pid.xml
+++ b/man/sd_bus_creds_get_pid.xml
@@ -333,7 +333,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
     but will check the bounding capabilities mask.</para>
 
     <para><function>sd_bus_creds_get_selinux_context</function> will
-    retrieve the SELinux context of the process.</para>
+    retrieve the SELinux security context (label) of the process.</para>
 
     <para><function>sd_bus_creds_get_audit_session_id</function> will
     retrieve the audit session identifier of the process.</para>

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index c95a7c0e9a5148600a1adf3e0a2340190b142a42..96ccc5cef7f2e85866b0277d1bdfeba27bfc04fe 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -249,23 +249,23 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><option>-L</option></term>
-                                <term><option>--apifs-label=</option></term>
+                                <term><option>-Z</option></term>
+                                <term><option>--selinux-context=</option></term>
 
-                                <listitem><para>Sets the mandatory
-                                access control (MAC/SELinux) file
-                                label to be used by virtual API file
-                                systems in the container.</para>
+                                <listitem><para>Sets the SELinux
+                                security context to be used to label
+                                processes in the container.</para>
                                 </listitem>
                         </varlistentry>
 
                         <varlistentry>
-                                <term><option>-Z</option></term>
-                                <term><option>--process-label=</option></term>
+                                <term><option>-L</option></term>
+                                <term><option>--selinux-apifs-context=</option></term>
 
-                                <listitem><para>Sets the mandatory
-                                access control (MAC/SELinux) label to be used by
-                                processes in the container.</para>
+                                <listitem><para>Sets the SELinux security
+                                context to be used to label files in
+                                the virtual API file systems in the
+                                container.</para>
                                 </listitem>
                         </varlistentry>
 
@@ -495,7 +495,7 @@
                 <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
 # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
 
-                <para>This runs a container with SELinux sandbox labels.</para>
+                <para>This runs a container with SELinux sandbox security contexts.</para>
         </refsect1>
 
         <refsect1>

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index ecf48a73c9d64418a151f5a2632a5421c925313c..f4caccdd23ada352ab2f8c36c50c888a252aa7cc 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -953,12 +953,16 @@
                         <varlistentry>
                                 <term><varname>SELinuxContext=</varname></term>
 
-                                <listitem><para>Set the SELinux context of the
-                                executed process. If set, this will override the
-                                automated domain transition. However, the policy
-                                still need to autorize the transition. This directive
-                                is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
-                                all errors will be ignored. See
+                                <listitem><para>Set the SELinux
+                                security context of the executed
+                                process. If set, this will override
+                                the automated domain
+                                transition. However, the policy still
+                                needs to autorize the transition. This
+                                directive is ignored if SELinux is
+                                disabled. If prefixed by
+                                <literal>-</literal>, all errors will
+                                be ignored. See
                                 <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                                 for details.</para></listitem>
                         </varlistentry>

diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml
index bb89ed58d333fb5014274f14396510bcf50fdd0c..c93b5da1dcba7b63abde9a9d4e9dc0a951f3ca04 100644 (file)
--- a/man/systemd.journal-fields.xml
+++ b/man/systemd.journal-fields.xml
@@ -244,8 +244,8 @@
                                 <term><varname>_SELINUX_CONTEXT=</varname></term>
                                 <listitem>
                                         <para>The SELinux security
-                                        context of the process the
-                                        journal entry originates
+                                        context (label) of the process
+                                        the journal entry originates
                                         from.</para>
                                 </listitem>
                         </varlistentry>

diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml
index ec1ae76b17d0d5f2ae4ab9fe3da4975f3fa96a98..a304dd00e6aa4451c30aa683480278b2ee1e39cb 100644 (file)
--- a/man/tmpfiles.d.xml
+++ b/man/tmpfiles.d.xml
@@ -174,7 +174,7 @@ L    /tmp/foobar -    -    -    -   /dev/null</programlisting>
                                         adjust its access mode, group
                                         and user to the specified
                                         values and reset the SELinux
-                                        label. If it does not exist, do
+                                        security context. If it does not exist, do
                                         nothing.</para></listitem>
                                 </varlistentry>
 
@@ -242,7 +242,7 @@ L    /tmp/foobar -    -    -    -   /dev/null</programlisting>
                                 <varlistentry>
                                         <term><varname>z</varname></term>
                                         <listitem><para>Restore
-                                        SELinux security context label
+                                        SELinux security context
                                         and set ownership and access
                                         mode of a file or directory if
                                         it exists.  Lines of this type
@@ -255,7 +255,7 @@ L    /tmp/foobar -    -    -    -   /dev/null</programlisting>
                                         <term><varname>Z</varname></term>
                                         <listitem><para>Recursively
                                         restore SELinux security
-                                        context label and set
+                                        context and set
                                         ownership and access mode of a
                                         path and all its
                                         subdirectories (if it is a

diff --git a/src/core/execute.c b/src/core/execute.c
index 437065465db1dd10e3ddb291838f008ab769409f..b941a024defe378c5766f379ae37909ebf50b0b0 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2123,7 +2123,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 fprintf(f,
                         "%sSELinuxContext: %s\n",
                         prefix, c->selinux_context);
-
 }
 
 void exec_status_start(ExecStatus *s, pid_t pid) {

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index be8161c351917c5cb3a38defea971e4d13fd4858..646c6c02f387063e03e91c664ada0abe6331b27d 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -80,8 +80,8 @@ static char *arg_directory = NULL;
 static char *arg_user = NULL;
 static sd_id128_t arg_uuid = {};
 static char *arg_machine = NULL;
-static char *arg_process_label = NULL;
-static char *arg_apifs_label = NULL;
+static char *arg_selinux_context = NULL;
+static char *arg_selinux_apifs_context = NULL;
 static const char *arg_slice = NULL;
 static bool arg_private_network = false;
 static bool arg_read_only = false;
@@ -131,10 +131,12 @@ static int help(void) {
                "     --uuid=UUID            Set a specific machine UUID for the container\n"
                "  -M --machine=NAME         Set the machine name for the container\n"
                "  -S --slice=SLICE          Place the container in the specified slice\n"
-               "  -L --apifs-label=LABEL    Set the MAC file label to be used by API/tmpfs file\n"
-               "                            systems in the container\n"
-               "  -Z --process-label=LABEL  Set the MAC label to be used by processes in\n"
-               "                            the container\n"
+               "  -Z --selinux-context=SECLABEL\n"
+               "                            Set the SELinux security context to be used by\n"
+               "                            processes in the container\n"
+               "  -L --selinux-apifs-context=SECLABEL\n"
+               "                            Set the SELinux security context to be used by\n"
+               "                            API/tmpfs file systems in the container\n"
                "     --private-network      Disable network in container\n"
                "     --read-only            Mount the root directory read-only\n"
                "     --capability=CAP       In addition to the default, retain specified\n"
@@ -168,25 +170,25 @@ static int parse_argv(int argc, char *argv[]) {
         };
 
         static const struct option options[] = {
-                { "help",            no_argument,       NULL, 'h'                 },
-                { "version",         no_argument,       NULL, ARG_VERSION         },
-                { "directory",       required_argument, NULL, 'D'                 },
-                { "user",            required_argument, NULL, 'u'                 },
-                { "private-network", no_argument,       NULL, ARG_PRIVATE_NETWORK },
-                { "boot",            no_argument,       NULL, 'b'                 },
-                { "uuid",            required_argument, NULL, ARG_UUID            },
-                { "read-only",       no_argument,       NULL, ARG_READ_ONLY       },
-                { "capability",      required_argument, NULL, ARG_CAPABILITY      },
-                { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
-                { "link-journal",    required_argument, NULL, ARG_LINK_JOURNAL    },
-                { "bind",            required_argument, NULL, ARG_BIND            },
-                { "bind-ro",         required_argument, NULL, ARG_BIND_RO         },
-                { "machine",         required_argument, NULL, 'M'                 },
-                { "slice",           required_argument, NULL, 'S'                 },
-                { "setenv",          required_argument, NULL, ARG_SETENV          },
-                { "process-label",   required_argument, NULL, 'Z'                 },
-                { "apifs-label",     required_argument, NULL, 'L'                 },
-                { "quiet",           no_argument,       NULL, 'q'                 },
+                { "help",                  no_argument,       NULL, 'h'                 },
+                { "version",               no_argument,       NULL, ARG_VERSION         },
+                { "directory",             required_argument, NULL, 'D'                 },
+                { "user",                  required_argument, NULL, 'u'                 },
+                { "private-network",       no_argument,       NULL, ARG_PRIVATE_NETWORK },
+                { "boot",                  no_argument,       NULL, 'b'                 },
+                { "uuid",                  required_argument, NULL, ARG_UUID            },
+                { "read-only",             no_argument,       NULL, ARG_READ_ONLY       },
+                { "capability",            required_argument, NULL, ARG_CAPABILITY      },
+                { "drop-capability",       required_argument, NULL, ARG_DROP_CAPABILITY },
+                { "link-journal",          required_argument, NULL, ARG_LINK_JOURNAL    },
+                { "bind",                  required_argument, NULL, ARG_BIND            },
+                { "bind-ro",               required_argument, NULL, ARG_BIND_RO         },
+                { "machine",               required_argument, NULL, 'M'                 },
+                { "slice",                 required_argument, NULL, 'S'                 },
+                { "setenv",                required_argument, NULL, ARG_SETENV          },
+                { "selinux-context",       required_argument, NULL, 'Z'                 },
+                { "selinux-apifs-context", required_argument, NULL, 'L'                 },
+                { "quiet",                 no_argument,       NULL, 'q'                 },
                 {}
         };
 
@@ -261,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) {
 
                         break;
 
-                case 'L':
-                        arg_apifs_label = optarg;
+                case 'Z':
+                        arg_selinux_context = optarg;
                         break;
 
-                case 'Z':
-                        arg_process_label = optarg;
+                case 'L':
+                        arg_selinux_apifs_context = optarg;
                         break;
 
                 case ARG_READ_ONLY:
@@ -449,8 +451,9 @@ static int mount_all(const char *dest) {
                 mkdir_p(where, 0755);
 
 #ifdef HAVE_SELINUX
-                if (arg_apifs_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
-                        options = strjoin(mount_table[k].options, ",context=\"", arg_apifs_label, "\"", NULL);
+                if (arg_selinux_apifs_context &&
+                    (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
+                        options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
                         if (!options)
                                 return log_oom();
 
@@ -1535,9 +1538,9 @@ int main(int argc, char *argv[]) {
                                 env_use = (char**) envp;
 
 #ifdef HAVE_SELINUX
-                        if (arg_process_label)
-                                if (setexeccon(arg_process_label) < 0)
-                                        log_error("setexeccon(\"%s\") failed: %m", arg_process_label);
+                        if (arg_selinux_context)
+                                if (setexeccon(arg_selinux_context) < 0)
+                                        log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
 #endif
                         if (arg_boot) {
                                 char **a;