Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp90124rwd; Wed, 14 Jun 2023 12:38:58 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7vfcMDXWoD51czD6JuH4t7YmGQZOt+E+WYEUP8ELUCevImfW9CkRFQFpVxFjsx77eUJKBZ X-Received: by 2002:a17:90a:714c:b0:25b:f113:19b5 with SMTP id g12-20020a17090a714c00b0025bf11319b5mr2337017pjs.40.1686771538433; Wed, 14 Jun 2023 12:38:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686771538; cv=none; d=google.com; s=arc-20160816; b=LyLcsUbTtDeXCz4j24pNkg2xDL269wNCTEJBEE/z5uPPVXrMy+7jShdr5xjR2Dn8u8 6yzHKn/J8EIR0u93VJ43ADsuYknoC9ajSFqNTCJKGNmxZGiHIkrvzS/rQQoKAClxWtXE C7Oaqg+izyorSfLu5q/potPkRYSV9J+kFBRPlC2Au60ZyAcR00CK2BpCCUThXiaHPbXm L9clHbfdiJH9fJWijsuNOloueZBf0zRHycc5irAUYc80mHThh/u0MLCvQuK+eCVdqZIC Ej8L6efeeZTm4iGh5Sb+Mg78DPyiHnSuD0jaWgP6ZkfTwYSWNmXe/TYvsK6anIyyEoyU sZZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=KvOAIrF6LzcXtyY6sHIJfZBt/wvZ4I6SC5BVY/k9gVs=; b=QUTlx8dM+vJUdzLhj/l01K17kZ+v34tDx0q7QWsog4qttxP2L+Rn0F/JJ0tRbzfovz /Lv+ymk904/nTzGbrKk50pKqp99qy5PkkVh5Rai1SOQfelpKG++ZatknaHjjsSpYQv5F awD4+L5H02CU83UBxiJC+dyjWG4BF4/wRC4HQUSCnryhU9xMbBpbOQ/sLcMj4wbdVstX tUdJVElbaICXB3yef1WZES691JSNofHCHRWqmK181UsSyXFmbWOruMc+blfgxQj9ihJh 3Zm4cjnhJnyXnxeuEKMJUPBvP3f+UyJrCfPq86c3bD0uZ2MJxQcLprOTZ4kEn2/obgCU q0Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=bj4tN+1+; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t3-20020a17090aae0300b002533ea2ad58si12954094pjq.140.2023.06.14.12.38.55; Wed, 14 Jun 2023 12:38:58 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=bj4tN+1+; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232724AbjFNTdq (ORCPT + 21 others); Wed, 14 Jun 2023 15:33:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230523AbjFNTdp (ORCPT ); Wed, 14 Jun 2023 15:33:45 -0400 Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BBA2DD2 for ; Wed, 14 Jun 2023 12:33:44 -0700 (PDT) Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-56d3d7a5b84so11585267b3.0 for ; Wed, 14 Jun 2023 12:33:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1686771224; x=1689363224; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=KvOAIrF6LzcXtyY6sHIJfZBt/wvZ4I6SC5BVY/k9gVs=; b=bj4tN+1+Grm5fx7dt7/L1UNYUZhSe/q9hqPOOW/9hIBh6HFSzlhsz9hKteNgHT1kBw 91e9AoqvmlCnf5yuYQ8voSh+ELiKRUniEgVVSROIz4EvXZjKO68wVeANqll+WV05HJ5r 4UvqOT0Rpuk3ENVG0gA/5IeWfD6RyMZjyxdrA5UcNWMIM7GnQW9RTAFgslR4WkPJgoxR 48ZZg+66hFg3sjp9xDneIaRtCEG5tOHl5NGN64BmVEVXSjZqOKgCs5OuiET2/N+smCFt COT1Y7DCbMGRvPTK46bhnBBmZ5BrhegfPl4j+HxVQ78ABDekWLVFbQrUSPzPLJlDax6b jHqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686771224; x=1689363224; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KvOAIrF6LzcXtyY6sHIJfZBt/wvZ4I6SC5BVY/k9gVs=; b=TC6P8RqMZSvdGnyKWv2LOGGVrXmTChpEbXAWZ77OUoyDFk4y4rMdbfHiIVvB+rwU7V cHpEu7aFCA8qo75kBw5Z6I0YRjBtADFaE/M8ROFAhge4Ajfn7z2C+5KP/2i4q38SBeF3 9V7mCi8YghHhXjX0xJZ5pRT74l01noDdbZ+TP0ufDYnv7+4cSoFZbvVnVp66wdNZkugt kNNa4200owRoUB8Gjq2HV/zP5hQs03sXstDnXknfyKwiIV+Bv/KJCB8gHVi5h6CuU1Dk oEKhEn1Uc3EJmPEMFNdm/D8dkG5wQpZ8yr2PiqHHP/EP5Mc/INaWNg4UTe/V9Zqlwvdn Ma5A== X-Gm-Message-State: AC+VfDz8zYZyRqS8b2tiWWdeZ1RA8TUHq+noN5tJywMiqtOBOgWrri6e fvrmvH6wfiTpa2FMmQnZ8OX3L4ysqJPCc3Y7Xc8h X-Received: by 2002:a0d:cbc7:0:b0:56d:a55:4b25 with SMTP id n190-20020a0dcbc7000000b0056d0a554b25mr2413487ywd.40.1686771223885; Wed, 14 Jun 2023 12:33:43 -0700 (PDT) MIME-Version: 1.0 From: Paul Moore Date: Wed, 14 Jun 2023 15:33:33 -0400 Message-ID: Subject: SELinux and systemd integration To: =?UTF-8?Q?Christian_G=C3=B6ttsche?= , selinux@vger.kernel.org, selinux-refpolicy@vger.kernel.org Cc: Lennart Poettering Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hello all, Amongst Christian's various other SELinux contributions, over the past several years Christian has been working on improving the SELinux integration in systemd. One of the things that Christian has been working on is revamping the SELinux permissions that systemd uses for unitfile operations, both to resolve problems and generally improve the mapping of permissions to systemd operations. As this work has been languishing for several years, I would like to see if we can get things "unstuck" by proposing two things: 1. I've provided links to the systemd GH PRs below, but I think it might be helpful if Christian could provide a quick summary of the new permissions, how they map to systemd operations, and how they map to the existing SELinux/systemd permissions with a focus on helping policy developers migrate existing SELinux policies. 2. Given the significance of systemd to modern Linux distributions, I think it might be a good idea if we selected a SELinux "liaison" for the systemd project. This person, or group of people, would work with the systemd folks to keep the SELinux integration in good working order, review systemd code as necessary, and help represent the SELinux project within systemd. How does that sound to everyone? If we are in agreement on #2, and assuming he would be willing to help out, I would like to nominate Christian as our SELinux liaison to systemd; any objections? Anyone else interested in helping out? For reference, Christian's systemd PRs on GH: * https://github.com/systemd/systemd/pull/10023 * https://github.com/systemd/systemd/pull/20387 -- paul-moore.com