From 82adf6af7c72b852449346835f33184a841b4796 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 10 Feb 2014 12:32:03 +0100 Subject: [PATCH] nspawn,man: use a common vocabulary when referring to selinux security contexts Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly. --- man/sd_bus_creds_get_pid.xml | 2 +- man/systemd-nspawn.xml | 24 ++++++------ man/systemd.exec.xml | 16 +++++--- man/systemd.journal-fields.xml | 4 +- man/tmpfiles.d.xml | 6 +-- src/core/execute.c | 1 - src/nspawn/nspawn.c | 71 ++++++++++++++++++---------------- 7 files changed, 65 insertions(+), 59 deletions(-) diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml index 40de81f82..d33533170 100644 --- a/man/sd_bus_creds_get_pid.xml +++ b/man/sd_bus_creds_get_pid.xml @@ -333,7 +333,7 @@ along with systemd; If not, see . but will check the bounding capabilities mask. sd_bus_creds_get_selinux_context will - retrieve the SELinux context of the process. + retrieve the SELinux security context (label) of the process. sd_bus_creds_get_audit_session_id will retrieve the audit session identifier of the process. diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index c95a7c0e9..96ccc5cef 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -249,23 +249,23 @@ - - + + - Sets the mandatory - access control (MAC/SELinux) file - label to be used by virtual API file - systems in the container. + Sets the SELinux + security context to be used to label + processes in the container. - - + + - Sets the mandatory - access control (MAC/SELinux) label to be used by - processes in the container. + Sets the SELinux security + context to be used to label files in + the virtual API file systems in the + container. @@ -495,7 +495,7 @@ # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh - This runs a container with SELinux sandbox labels. + This runs a container with SELinux sandbox security contexts. diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index ecf48a73c..f4caccdd2 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -953,12 +953,16 @@ SELinuxContext= - Set the SELinux context of the - executed process. If set, this will override the - automated domain transition. However, the policy - still need to autorize the transition. This directive - is ignored if SELinux is disabled. If prefixed by -, - all errors will be ignored. See + Set the SELinux + security context of the executed + process. If set, this will override + the automated domain + transition. However, the policy still + needs to autorize the transition. This + directive is ignored if SELinux is + disabled. If prefixed by + -, all errors will + be ignored. See setexeccon3 for details. diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml index bb89ed58d..c93b5da1d 100644 --- a/man/systemd.journal-fields.xml +++ b/man/systemd.journal-fields.xml @@ -244,8 +244,8 @@ _SELINUX_CONTEXT= The SELinux security - context of the process the - journal entry originates + context (label) of the process + the journal entry originates from. diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index ec1ae76b1..a304dd00e 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -174,7 +174,7 @@ L /tmp/foobar - - - - /dev/null adjust its access mode, group and user to the specified values and reset the SELinux - label. If it does not exist, do + security context. If it does not exist, do nothing. @@ -242,7 +242,7 @@ L /tmp/foobar - - - - /dev/null z Restore - SELinux security context label + SELinux security context and set ownership and access mode of a file or directory if it exists. Lines of this type @@ -255,7 +255,7 @@ L /tmp/foobar - - - - /dev/null Z Recursively restore SELinux security - context label and set + context and set ownership and access mode of a path and all its subdirectories (if it is a diff --git a/src/core/execute.c b/src/core/execute.c index 437065465..b941a024d 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2123,7 +2123,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fprintf(f, "%sSELinuxContext: %s\n", prefix, c->selinux_context); - } void exec_status_start(ExecStatus *s, pid_t pid) { diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index be8161c35..646c6c02f 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -80,8 +80,8 @@ static char *arg_directory = NULL; static char *arg_user = NULL; static sd_id128_t arg_uuid = {}; static char *arg_machine = NULL; -static char *arg_process_label = NULL; -static char *arg_apifs_label = NULL; +static char *arg_selinux_context = NULL; +static char *arg_selinux_apifs_context = NULL; static const char *arg_slice = NULL; static bool arg_private_network = false; static bool arg_read_only = false; @@ -131,10 +131,12 @@ static int help(void) { " --uuid=UUID Set a specific machine UUID for the container\n" " -M --machine=NAME Set the machine name for the container\n" " -S --slice=SLICE Place the container in the specified slice\n" - " -L --apifs-label=LABEL Set the MAC file label to be used by API/tmpfs file\n" - " systems in the container\n" - " -Z --process-label=LABEL Set the MAC label to be used by processes in\n" - " the container\n" + " -Z --selinux-context=SECLABEL\n" + " Set the SELinux security context to be used by\n" + " processes in the container\n" + " -L --selinux-apifs-context=SECLABEL\n" + " Set the SELinux security context to be used by\n" + " API/tmpfs file systems in the container\n" " --private-network Disable network in container\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" @@ -168,25 +170,25 @@ static int parse_argv(int argc, char *argv[]) { }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "directory", required_argument, NULL, 'D' }, - { "user", required_argument, NULL, 'u' }, - { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, - { "boot", no_argument, NULL, 'b' }, - { "uuid", required_argument, NULL, ARG_UUID }, - { "read-only", no_argument, NULL, ARG_READ_ONLY }, - { "capability", required_argument, NULL, ARG_CAPABILITY }, - { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, - { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, - { "bind", required_argument, NULL, ARG_BIND }, - { "bind-ro", required_argument, NULL, ARG_BIND_RO }, - { "machine", required_argument, NULL, 'M' }, - { "slice", required_argument, NULL, 'S' }, - { "setenv", required_argument, NULL, ARG_SETENV }, - { "process-label", required_argument, NULL, 'Z' }, - { "apifs-label", required_argument, NULL, 'L' }, - { "quiet", no_argument, NULL, 'q' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "directory", required_argument, NULL, 'D' }, + { "user", required_argument, NULL, 'u' }, + { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, + { "boot", no_argument, NULL, 'b' }, + { "uuid", required_argument, NULL, ARG_UUID }, + { "read-only", no_argument, NULL, ARG_READ_ONLY }, + { "capability", required_argument, NULL, ARG_CAPABILITY }, + { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, + { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, + { "bind", required_argument, NULL, ARG_BIND }, + { "bind-ro", required_argument, NULL, ARG_BIND_RO }, + { "machine", required_argument, NULL, 'M' }, + { "slice", required_argument, NULL, 'S' }, + { "setenv", required_argument, NULL, ARG_SETENV }, + { "selinux-context", required_argument, NULL, 'Z' }, + { "selinux-apifs-context", required_argument, NULL, 'L' }, + { "quiet", no_argument, NULL, 'q' }, {} }; @@ -261,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) { break; - case 'L': - arg_apifs_label = optarg; + case 'Z': + arg_selinux_context = optarg; break; - case 'Z': - arg_process_label = optarg; + case 'L': + arg_selinux_apifs_context = optarg; break; case ARG_READ_ONLY: @@ -449,8 +451,9 @@ static int mount_all(const char *dest) { mkdir_p(where, 0755); #ifdef HAVE_SELINUX - if (arg_apifs_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { - options = strjoin(mount_table[k].options, ",context=\"", arg_apifs_label, "\"", NULL); + if (arg_selinux_apifs_context && + (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { + options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL); if (!options) return log_oom(); @@ -1535,9 +1538,9 @@ int main(int argc, char *argv[]) { env_use = (char**) envp; #ifdef HAVE_SELINUX - if (arg_process_label) - if (setexeccon(arg_process_label) < 0) - log_error("setexeccon(\"%s\") failed: %m", arg_process_label); + if (arg_selinux_context) + if (setexeccon(arg_selinux_context) < 0) + log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context); #endif if (arg_boot) { char **a; -- 2.30.2