Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp90124rwd;
        Wed, 14 Jun 2023 12:38:58 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ7vfcMDXWoD51czD6JuH4t7YmGQZOt+E+WYEUP8ELUCevImfW9CkRFQFpVxFjsx77eUJKBZ
X-Received: by 2002:a17:90a:714c:b0:25b:f113:19b5 with SMTP id g12-20020a17090a714c00b0025bf11319b5mr2337017pjs.40.1686771538433;
        Wed, 14 Jun 2023 12:38:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686771538; cv=none;
        d=google.com; s=arc-20160816;
        b=LyLcsUbTtDeXCz4j24pNkg2xDL269wNCTEJBEE/z5uPPVXrMy+7jShdr5xjR2Dn8u8
         6yzHKn/J8EIR0u93VJ43ADsuYknoC9ajSFqNTCJKGNmxZGiHIkrvzS/rQQoKAClxWtXE
         C7Oaqg+izyorSfLu5q/potPkRYSV9J+kFBRPlC2Au60ZyAcR00CK2BpCCUThXiaHPbXm
         L9clHbfdiJH9fJWijsuNOloueZBf0zRHycc5irAUYc80mHThh/u0MLCvQuK+eCVdqZIC
         Ej8L6efeeZTm4iGh5Sb+Mg78DPyiHnSuD0jaWgP6ZkfTwYSWNmXe/TYvsK6anIyyEoyU
         sZZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version
         :dkim-signature;
        bh=KvOAIrF6LzcXtyY6sHIJfZBt/wvZ4I6SC5BVY/k9gVs=;
        b=QUTlx8dM+vJUdzLhj/l01K17kZ+v34tDx0q7QWsog4qttxP2L+Rn0F/JJ0tRbzfovz
         /Lv+ymk904/nTzGbrKk50pKqp99qy5PkkVh5Rai1SOQfelpKG++ZatknaHjjsSpYQv5F
         awD4+L5H02CU83UBxiJC+dyjWG4BF4/wRC4HQUSCnryhU9xMbBpbOQ/sLcMj4wbdVstX
         tUdJVElbaICXB3yef1WZES691JSNofHCHRWqmK181UsSyXFmbWOruMc+blfgxQj9ihJh
         3Zm4cjnhJnyXnxeuEKMJUPBvP3f+UyJrCfPq86c3bD0uZ2MJxQcLprOTZ4kEn2/obgCU
         q0Fg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore.com header.s=google header.b=bj4tN+1+;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id t3-20020a17090aae0300b002533ea2ad58si12954094pjq.140.2023.06.14.12.38.55;
        Wed, 14 Jun 2023 12:38:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore.com header.s=google header.b=bj4tN+1+;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232724AbjFNTdq (ORCPT <rfc822;sekidde@gmail.com> + 21 others);
        Wed, 14 Jun 2023 15:33:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55734 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230523AbjFNTdp (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 14 Jun 2023 15:33:45 -0400
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BBA2DD2
        for <selinux-refpolicy@vger.kernel.org>; Wed, 14 Jun 2023 12:33:44 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-56d3d7a5b84so11585267b3.0
        for <selinux-refpolicy@vger.kernel.org>; Wed, 14 Jun 2023 12:33:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore.com; s=google; t=1686771224; x=1689363224;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=KvOAIrF6LzcXtyY6sHIJfZBt/wvZ4I6SC5BVY/k9gVs=;
        b=bj4tN+1+Grm5fx7dt7/L1UNYUZhSe/q9hqPOOW/9hIBh6HFSzlhsz9hKteNgHT1kBw
         91e9AoqvmlCnf5yuYQ8voSh+ELiKRUniEgVVSROIz4EvXZjKO68wVeANqll+WV05HJ5r
         4UvqOT0Rpuk3ENVG0gA/5IeWfD6RyMZjyxdrA5UcNWMIM7GnQW9RTAFgslR4WkPJgoxR
         48ZZg+66hFg3sjp9xDneIaRtCEG5tOHl5NGN64BmVEVXSjZqOKgCs5OuiET2/N+smCFt
         COT1Y7DCbMGRvPTK46bhnBBmZ5BrhegfPl4j+HxVQ78ABDekWLVFbQrUSPzPLJlDax6b
         jHqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1686771224; x=1689363224;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=KvOAIrF6LzcXtyY6sHIJfZBt/wvZ4I6SC5BVY/k9gVs=;
        b=TC6P8RqMZSvdGnyKWv2LOGGVrXmTChpEbXAWZ77OUoyDFk4y4rMdbfHiIVvB+rwU7V
         cHpEu7aFCA8qo75kBw5Z6I0YRjBtADFaE/M8ROFAhge4Ajfn7z2C+5KP/2i4q38SBeF3
         9V7mCi8YghHhXjX0xJZ5pRT74l01noDdbZ+TP0ufDYnv7+4cSoFZbvVnVp66wdNZkugt
         kNNa4200owRoUB8Gjq2HV/zP5hQs03sXstDnXknfyKwiIV+Bv/KJCB8gHVi5h6CuU1Dk
         oEKhEn1Uc3EJmPEMFNdm/D8dkG5wQpZ8yr2PiqHHP/EP5Mc/INaWNg4UTe/V9Zqlwvdn
         Ma5A==
X-Gm-Message-State: AC+VfDz8zYZyRqS8b2tiWWdeZ1RA8TUHq+noN5tJywMiqtOBOgWrri6e
        fvrmvH6wfiTpa2FMmQnZ8OX3L4ysqJPCc3Y7Xc8h
X-Received: by 2002:a0d:cbc7:0:b0:56d:a55:4b25 with SMTP id
 n190-20020a0dcbc7000000b0056d0a554b25mr2413487ywd.40.1686771223885; Wed, 14
 Jun 2023 12:33:43 -0700 (PDT)
MIME-Version: 1.0
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 14 Jun 2023 15:33:33 -0400
Message-ID: <CAHC9VhRAXQyzG7OsgXQfWT09qEFQRmeN2foGLGnU8cHdRKePUA@mail.gmail.com>
Subject: SELinux and systemd integration
To:     =?UTF-8?Q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
        selinux@vger.kernel.org, selinux-refpolicy@vger.kernel.org
Cc:     Lennart Poettering <lennart@poettering.net>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Hello all,

Amongst Christian's various other SELinux contributions, over the past
several years Christian has been working on improving the SELinux
integration in systemd.  One of the things that Christian has been
working on is revamping the SELinux permissions that systemd uses for
unitfile operations, both to resolve problems and generally improve
the mapping of permissions to systemd operations.  As this work has
been languishing for several years, I would like to see if we can get
things "unstuck" by proposing two things:

1. I've provided links to the systemd GH PRs below, but I think it
might be helpful if Christian could provide a quick summary of the new
permissions, how they map to systemd operations, and how they map to
the existing SELinux/systemd permissions with a focus on helping
policy developers migrate existing SELinux policies.

2. Given the significance of systemd to modern Linux distributions, I
think it might be a good idea if we selected a SELinux "liaison" for
the systemd project.  This person, or group of people, would work with
the systemd folks to keep the SELinux integration in good working
order, review systemd code as necessary, and help represent the
SELinux project within systemd.

How does that sound to everyone?  If we are in agreement on #2, and
assuming he would be willing to help out, I would like to nominate
Christian as our SELinux liaison to systemd; any objections?  Anyone
else interested in helping out?

For reference, Christian's systemd PRs on GH:
* https://github.com/systemd/systemd/pull/10023
* https://github.com/systemd/systemd/pull/20387

--
paul-moore.com