diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-10 12:32:03 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-10 13:18:16 +0100 |
commit | 82adf6af7c72b852449346835f33184a841b4796 (patch) | |
tree | 0dd1c4c6dcdd9760df65300e15bd3b53b5aad553 | |
parent | 0d3f7bb3a5bc6d5c0712f88a080fed388981bca3 (diff) |
nspawn,man: use a common vocabulary when referring to selinux security contexts
Let's always call the security labels the same way:
SMACK: "Smack Label"
SELINUX: "SELinux Security Context"
And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
-rw-r--r-- | man/sd_bus_creds_get_pid.xml | 2 | ||||
-rw-r--r-- | man/systemd-nspawn.xml | 24 | ||||
-rw-r--r-- | man/systemd.exec.xml | 16 | ||||
-rw-r--r-- | man/systemd.journal-fields.xml | 4 | ||||
-rw-r--r-- | man/tmpfiles.d.xml | 6 | ||||
-rw-r--r-- | src/core/execute.c | 1 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 71 |
7 files changed, 65 insertions, 59 deletions
diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml index 40de81f82e..d33533170f 100644 --- a/man/sd_bus_creds_get_pid.xml +++ b/man/sd_bus_creds_get_pid.xml @@ -333,7 +333,7 @@ along with systemd; If not, see <http://www.gnu.org/licenses/>. but will check the bounding capabilities mask.</para> <para><function>sd_bus_creds_get_selinux_context</function> will - retrieve the SELinux context of the process.</para> + retrieve the SELinux security context (label) of the process.</para> <para><function>sd_bus_creds_get_audit_session_id</function> will retrieve the audit session identifier of the process.</para> diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index c95a7c0e9a..96ccc5cef7 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -249,23 +249,23 @@ </varlistentry> <varlistentry> - <term><option>-L</option></term> - <term><option>--apifs-label=</option></term> + <term><option>-Z</option></term> + <term><option>--selinux-context=</option></term> - <listitem><para>Sets the mandatory - access control (MAC/SELinux) file - label to be used by virtual API file - systems in the container.</para> + <listitem><para>Sets the SELinux + security context to be used to label + processes in the container.</para> </listitem> </varlistentry> <varlistentry> - <term><option>-Z</option></term> - <term><option>--process-label=</option></term> + <term><option>-L</option></term> + <term><option>--selinux-apifs-context=</option></term> - <listitem><para>Sets the mandatory - access control (MAC/SELinux) label to be used by - processes in the container.</para> + <listitem><para>Sets the SELinux security + context to be used to label files in + the virtual API file systems in the + container.</para> </listitem> </varlistentry> @@ -495,7 +495,7 @@ <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> - <para>This runs a container with SELinux sandbox labels.</para> + <para>This runs a container with SELinux sandbox security contexts.</para> </refsect1> <refsect1> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index ecf48a73c9..f4caccdd23 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -953,12 +953,16 @@ <varlistentry> <term><varname>SELinuxContext=</varname></term> - <listitem><para>Set the SELinux context of the - executed process. If set, this will override the - automated domain transition. However, the policy - still need to autorize the transition. This directive - is ignored if SELinux is disabled. If prefixed by <literal>-</literal>, - all errors will be ignored. See + <listitem><para>Set the SELinux + security context of the executed + process. If set, this will override + the automated domain + transition. However, the policy still + needs to autorize the transition. This + directive is ignored if SELinux is + disabled. If prefixed by + <literal>-</literal>, all errors will + be ignored. See <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> for details.</para></listitem> </varlistentry> diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml index bb89ed58d3..c93b5da1dc 100644 --- a/man/systemd.journal-fields.xml +++ b/man/systemd.journal-fields.xml @@ -244,8 +244,8 @@ <term><varname>_SELINUX_CONTEXT=</varname></term> <listitem> <para>The SELinux security - context of the process the - journal entry originates + context (label) of the process + the journal entry originates from.</para> </listitem> </varlistentry> diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index ec1ae76b17..a304dd00e6 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -174,7 +174,7 @@ L /tmp/foobar - - - - /dev/null</programlisting> adjust its access mode, group and user to the specified values and reset the SELinux - label. If it does not exist, do + security context. If it does not exist, do nothing.</para></listitem> </varlistentry> @@ -242,7 +242,7 @@ L /tmp/foobar - - - - /dev/null</programlisting> <varlistentry> <term><varname>z</varname></term> <listitem><para>Restore - SELinux security context label + SELinux security context and set ownership and access mode of a file or directory if it exists. Lines of this type @@ -255,7 +255,7 @@ L /tmp/foobar - - - - /dev/null</programlisting> <term><varname>Z</varname></term> <listitem><para>Recursively restore SELinux security - context label and set + context and set ownership and access mode of a path and all its subdirectories (if it is a diff --git a/src/core/execute.c b/src/core/execute.c index 437065465d..b941a024de 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2123,7 +2123,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fprintf(f, "%sSELinuxContext: %s\n", prefix, c->selinux_context); - } void exec_status_start(ExecStatus *s, pid_t pid) { diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index be8161c351..646c6c02f3 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -80,8 +80,8 @@ static char *arg_directory = NULL; static char *arg_user = NULL; static sd_id128_t arg_uuid = {}; static char *arg_machine = NULL; -static char *arg_process_label = NULL; -static char *arg_apifs_label = NULL; +static char *arg_selinux_context = NULL; +static char *arg_selinux_apifs_context = NULL; static const char *arg_slice = NULL; static bool arg_private_network = false; static bool arg_read_only = false; @@ -131,10 +131,12 @@ static int help(void) { " --uuid=UUID Set a specific machine UUID for the container\n" " -M --machine=NAME Set the machine name for the container\n" " -S --slice=SLICE Place the container in the specified slice\n" - " -L --apifs-label=LABEL Set the MAC file label to be used by API/tmpfs file\n" - " systems in the container\n" - " -Z --process-label=LABEL Set the MAC label to be used by processes in\n" - " the container\n" + " -Z --selinux-context=SECLABEL\n" + " Set the SELinux security context to be used by\n" + " processes in the container\n" + " -L --selinux-apifs-context=SECLABEL\n" + " Set the SELinux security context to be used by\n" + " API/tmpfs file systems in the container\n" " --private-network Disable network in container\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" @@ -168,25 +170,25 @@ static int parse_argv(int argc, char *argv[]) { }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "directory", required_argument, NULL, 'D' }, - { "user", required_argument, NULL, 'u' }, - { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, - { "boot", no_argument, NULL, 'b' }, - { "uuid", required_argument, NULL, ARG_UUID }, - { "read-only", no_argument, NULL, ARG_READ_ONLY }, - { "capability", required_argument, NULL, ARG_CAPABILITY }, - { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, - { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, - { "bind", required_argument, NULL, ARG_BIND }, - { "bind-ro", required_argument, NULL, ARG_BIND_RO }, - { "machine", required_argument, NULL, 'M' }, - { "slice", required_argument, NULL, 'S' }, - { "setenv", required_argument, NULL, ARG_SETENV }, - { "process-label", required_argument, NULL, 'Z' }, - { "apifs-label", required_argument, NULL, 'L' }, - { "quiet", no_argument, NULL, 'q' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "directory", required_argument, NULL, 'D' }, + { "user", required_argument, NULL, 'u' }, + { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, + { "boot", no_argument, NULL, 'b' }, + { "uuid", required_argument, NULL, ARG_UUID }, + { "read-only", no_argument, NULL, ARG_READ_ONLY }, + { "capability", required_argument, NULL, ARG_CAPABILITY }, + { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, + { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, + { "bind", required_argument, NULL, ARG_BIND }, + { "bind-ro", required_argument, NULL, ARG_BIND_RO }, + { "machine", required_argument, NULL, 'M' }, + { "slice", required_argument, NULL, 'S' }, + { "setenv", required_argument, NULL, ARG_SETENV }, + { "selinux-context", required_argument, NULL, 'Z' }, + { "selinux-apifs-context", required_argument, NULL, 'L' }, + { "quiet", no_argument, NULL, 'q' }, {} }; @@ -261,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) { break; - case 'L': - arg_apifs_label = optarg; + case 'Z': + arg_selinux_context = optarg; break; - case 'Z': - arg_process_label = optarg; + case 'L': + arg_selinux_apifs_context = optarg; break; case ARG_READ_ONLY: @@ -449,8 +451,9 @@ static int mount_all(const char *dest) { mkdir_p(where, 0755); #ifdef HAVE_SELINUX - if (arg_apifs_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { - options = strjoin(mount_table[k].options, ",context=\"", arg_apifs_label, "\"", NULL); + if (arg_selinux_apifs_context && + (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { + options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL); if (!options) return log_oom(); @@ -1535,9 +1538,9 @@ int main(int argc, char *argv[]) { env_use = (char**) envp; #ifdef HAVE_SELINUX - if (arg_process_label) - if (setexeccon(arg_process_label) < 0) - log_error("setexeccon(\"%s\") failed: %m", arg_process_label); + if (arg_selinux_context) + if (setexeccon(arg_selinux_context) < 0) + log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context); #endif if (arg_boot) { char **a; |