summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-10 12:32:03 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-10 13:18:16 +0100
commit82adf6af7c72b852449346835f33184a841b4796 (patch)
tree0dd1c4c6dcdd9760df65300e15bd3b53b5aad553
parent0d3f7bb3a5bc6d5c0712f88a080fed388981bca3 (diff)
nspawn,man: use a common vocabulary when referring to selinux security contexts
Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
-rw-r--r--man/sd_bus_creds_get_pid.xml2
-rw-r--r--man/systemd-nspawn.xml24
-rw-r--r--man/systemd.exec.xml16
-rw-r--r--man/systemd.journal-fields.xml4
-rw-r--r--man/tmpfiles.d.xml6
-rw-r--r--src/core/execute.c1
-rw-r--r--src/nspawn/nspawn.c71
7 files changed, 65 insertions, 59 deletions
diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml
index 40de81f82e..d33533170f 100644
--- a/man/sd_bus_creds_get_pid.xml
+++ b/man/sd_bus_creds_get_pid.xml
@@ -333,7 +333,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>.
but will check the bounding capabilities mask.</para>
<para><function>sd_bus_creds_get_selinux_context</function> will
- retrieve the SELinux context of the process.</para>
+ retrieve the SELinux security context (label) of the process.</para>
<para><function>sd_bus_creds_get_audit_session_id</function> will
retrieve the audit session identifier of the process.</para>
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index c95a7c0e9a..96ccc5cef7 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -249,23 +249,23 @@
</varlistentry>
<varlistentry>
- <term><option>-L</option></term>
- <term><option>--apifs-label=</option></term>
+ <term><option>-Z</option></term>
+ <term><option>--selinux-context=</option></term>
- <listitem><para>Sets the mandatory
- access control (MAC/SELinux) file
- label to be used by virtual API file
- systems in the container.</para>
+ <listitem><para>Sets the SELinux
+ security context to be used to label
+ processes in the container.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-Z</option></term>
- <term><option>--process-label=</option></term>
+ <term><option>-L</option></term>
+ <term><option>--selinux-apifs-context=</option></term>
- <listitem><para>Sets the mandatory
- access control (MAC/SELinux) label to be used by
- processes in the container.</para>
+ <listitem><para>Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.</para>
</listitem>
</varlistentry>
@@ -495,7 +495,7 @@
<programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
- <para>This runs a container with SELinux sandbox labels.</para>
+ <para>This runs a container with SELinux sandbox security contexts.</para>
</refsect1>
<refsect1>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index ecf48a73c9..f4caccdd23 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -953,12 +953,16 @@
<varlistentry>
<term><varname>SELinuxContext=</varname></term>
- <listitem><para>Set the SELinux context of the
- executed process. If set, this will override the
- automated domain transition. However, the policy
- still need to autorize the transition. This directive
- is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
- all errors will be ignored. See
+ <listitem><para>Set the SELinux
+ security context of the executed
+ process. If set, this will override
+ the automated domain
+ transition. However, the policy still
+ needs to autorize the transition. This
+ directive is ignored if SELinux is
+ disabled. If prefixed by
+ <literal>-</literal>, all errors will
+ be ignored. See
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml
index bb89ed58d3..c93b5da1dc 100644
--- a/man/systemd.journal-fields.xml
+++ b/man/systemd.journal-fields.xml
@@ -244,8 +244,8 @@
<term><varname>_SELINUX_CONTEXT=</varname></term>
<listitem>
<para>The SELinux security
- context of the process the
- journal entry originates
+ context (label) of the process
+ the journal entry originates
from.</para>
</listitem>
</varlistentry>
diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml
index ec1ae76b17..a304dd00e6 100644
--- a/man/tmpfiles.d.xml
+++ b/man/tmpfiles.d.xml
@@ -174,7 +174,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
adjust its access mode, group
and user to the specified
values and reset the SELinux
- label. If it does not exist, do
+ security context. If it does not exist, do
nothing.</para></listitem>
</varlistentry>
@@ -242,7 +242,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
<varlistentry>
<term><varname>z</varname></term>
<listitem><para>Restore
- SELinux security context label
+ SELinux security context
and set ownership and access
mode of a file or directory if
it exists. Lines of this type
@@ -255,7 +255,7 @@ L /tmp/foobar - - - - /dev/null</programlisting>
<term><varname>Z</varname></term>
<listitem><para>Recursively
restore SELinux security
- context label and set
+ context and set
ownership and access mode of a
path and all its
subdirectories (if it is a
diff --git a/src/core/execute.c b/src/core/execute.c
index 437065465d..b941a024de 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2123,7 +2123,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
fprintf(f,
"%sSELinuxContext: %s\n",
prefix, c->selinux_context);
-
}
void exec_status_start(ExecStatus *s, pid_t pid) {
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index be8161c351..646c6c02f3 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -80,8 +80,8 @@ static char *arg_directory = NULL;
static char *arg_user = NULL;
static sd_id128_t arg_uuid = {};
static char *arg_machine = NULL;
-static char *arg_process_label = NULL;
-static char *arg_apifs_label = NULL;
+static char *arg_selinux_context = NULL;
+static char *arg_selinux_apifs_context = NULL;
static const char *arg_slice = NULL;
static bool arg_private_network = false;
static bool arg_read_only = false;
@@ -131,10 +131,12 @@ static int help(void) {
" --uuid=UUID Set a specific machine UUID for the container\n"
" -M --machine=NAME Set the machine name for the container\n"
" -S --slice=SLICE Place the container in the specified slice\n"
- " -L --apifs-label=LABEL Set the MAC file label to be used by API/tmpfs file\n"
- " systems in the container\n"
- " -Z --process-label=LABEL Set the MAC label to be used by processes in\n"
- " the container\n"
+ " -Z --selinux-context=SECLABEL\n"
+ " Set the SELinux security context to be used by\n"
+ " processes in the container\n"
+ " -L --selinux-apifs-context=SECLABEL\n"
+ " Set the SELinux security context to be used by\n"
+ " API/tmpfs file systems in the container\n"
" --private-network Disable network in container\n"
" --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n"
@@ -168,25 +170,25 @@ static int parse_argv(int argc, char *argv[]) {
};
static const struct option options[] = {
- { "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, ARG_VERSION },
- { "directory", required_argument, NULL, 'D' },
- { "user", required_argument, NULL, 'u' },
- { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
- { "boot", no_argument, NULL, 'b' },
- { "uuid", required_argument, NULL, ARG_UUID },
- { "read-only", no_argument, NULL, ARG_READ_ONLY },
- { "capability", required_argument, NULL, ARG_CAPABILITY },
- { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
- { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
- { "bind", required_argument, NULL, ARG_BIND },
- { "bind-ro", required_argument, NULL, ARG_BIND_RO },
- { "machine", required_argument, NULL, 'M' },
- { "slice", required_argument, NULL, 'S' },
- { "setenv", required_argument, NULL, ARG_SETENV },
- { "process-label", required_argument, NULL, 'Z' },
- { "apifs-label", required_argument, NULL, 'L' },
- { "quiet", no_argument, NULL, 'q' },
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ { "directory", required_argument, NULL, 'D' },
+ { "user", required_argument, NULL, 'u' },
+ { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
+ { "boot", no_argument, NULL, 'b' },
+ { "uuid", required_argument, NULL, ARG_UUID },
+ { "read-only", no_argument, NULL, ARG_READ_ONLY },
+ { "capability", required_argument, NULL, ARG_CAPABILITY },
+ { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
+ { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
+ { "bind", required_argument, NULL, ARG_BIND },
+ { "bind-ro", required_argument, NULL, ARG_BIND_RO },
+ { "machine", required_argument, NULL, 'M' },
+ { "slice", required_argument, NULL, 'S' },
+ { "setenv", required_argument, NULL, ARG_SETENV },
+ { "selinux-context", required_argument, NULL, 'Z' },
+ { "selinux-apifs-context", required_argument, NULL, 'L' },
+ { "quiet", no_argument, NULL, 'q' },
{}
};
@@ -261,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) {
break;
- case 'L':
- arg_apifs_label = optarg;
+ case 'Z':
+ arg_selinux_context = optarg;
break;
- case 'Z':
- arg_process_label = optarg;
+ case 'L':
+ arg_selinux_apifs_context = optarg;
break;
case ARG_READ_ONLY:
@@ -449,8 +451,9 @@ static int mount_all(const char *dest) {
mkdir_p(where, 0755);
#ifdef HAVE_SELINUX
- if (arg_apifs_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
- options = strjoin(mount_table[k].options, ",context=\"", arg_apifs_label, "\"", NULL);
+ if (arg_selinux_apifs_context &&
+ (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
+ options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
if (!options)
return log_oom();
@@ -1535,9 +1538,9 @@ int main(int argc, char *argv[]) {
env_use = (char**) envp;
#ifdef HAVE_SELINUX
- if (arg_process_label)
- if (setexeccon(arg_process_label) < 0)
- log_error("setexeccon(\"%s\") failed: %m", arg_process_label);
+ if (arg_selinux_context)
+ if (setexeccon(arg_selinux_context) < 0)
+ log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
#endif
if (arg_boot) {
char **a;