systemd: allow systemd_notify_t to send data to kernel_t datagram sockets

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline

GNU General Public License v2.0

164 stars 165 forks source link

systemd: allow systemd_notify_t to send data to kernel_t datagram sockets #2037

Closed rmetrich closed 7 months ago

rmetrich commented 7 months ago

This is required because of systemd's notify socket is created while in the initramfs, hence as kernel_t. Once SELinux permits relabeling socket objects created before the policy is loaded, this should be removed and systemd fixed to relabel the socket appropriately. Tracked by systemd PR.

zpytela commented 7 months ago

Can you please include reproducer and/or the avc denials into the commit message?

zpytela commented 7 months ago

Merging, thank you.