All of lore.kernel.org
 help / color / mirror / Atom feed
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: selinux@vger.kernel.org
Subject: [PATCH 2/3] restorecond: add systemd user service
Date: Mon, 13 Apr 2020 18:24:12 +0200	[thread overview]
Message-ID: <20200413162413.1161803-2-nicolas.iooss@m4x.org> (raw)
In-Reply-To: <20200413162413.1161803-1-nicolas.iooss@m4x.org>

When running restorecond in user sessions using D-Bus activation,
restorecond's process is spawned in the CGroup of the D-Bus daemon:

    $ systemctl --user status
    [...]
       CGroup: /user.slice/user-1000.slice/user@1000.service
               ├─init.scope
               │ ├─1206 /usr/lib/systemd/systemd --user
               │ └─1208 (sd-pam)
               └─dbus.service
                 ├─1628 /usr/bin/dbus-daemon --session --address=systemd:
                 └─4570 /usr/sbin/restorecond -u

In order to separate it, introduce a systemd unit for
restorecond-started-as-user.

After this patch:

       CGroup: /user.slice/user-1000.slice/user@1000.service
               ├─restorecond-user.service
               │ └─2871 /usr/sbin/restorecond -u
               ├─init.scope
               │ ├─481 /usr/lib/systemd/systemd --user
               │ └─485 (sd-pam)
               └─dbus.service
                 └─2868 /usr/bin/dbus-daemon --session --address=systemd:

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 restorecond/Makefile                        |  2 ++
 restorecond/org.selinux.Restorecond.service |  1 +
 restorecond/restorecond-user.service        | 10 ++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 restorecond/restorecond-user.service

diff --git a/restorecond/Makefile b/restorecond/Makefile
index 50702c661aeb..501f89dfca57 100644
--- a/restorecond/Makefile
+++ b/restorecond/Makefile
@@ -50,6 +50,8 @@ install: all
 	install -m 644 org.selinux.Restorecond.service  $(DESTDIR)$(DBUSSERVICEDIR)/org.selinux.Restorecond.service
 	-mkdir -p $(DESTDIR)$(SYSTEMDDIR)/system
 	install -m 644 restorecond.service $(DESTDIR)$(SYSTEMDDIR)/system/
+	-mkdir -p $(DESTDIR)$(SYSTEMDDIR)/user
+	install -m 644 restorecond-user.service $(DESTDIR)$(SYSTEMDDIR)/user/
 relabel: install
 	/sbin/restorecon $(DESTDIR)$(SBINDIR)/restorecond 
 
diff --git a/restorecond/org.selinux.Restorecond.service b/restorecond/org.selinux.Restorecond.service
index 0ef5f0b5cdc5..55989a9cbbd0 100644
--- a/restorecond/org.selinux.Restorecond.service
+++ b/restorecond/org.selinux.Restorecond.service
@@ -1,3 +1,4 @@
 [D-BUS Service]
 Name=org.selinux.Restorecond
 Exec=/usr/sbin/restorecond -u
+SystemdService=restorecond-user.service
diff --git a/restorecond/restorecond-user.service b/restorecond/restorecond-user.service
new file mode 100644
index 000000000000..28ca770f94cb
--- /dev/null
+++ b/restorecond/restorecond-user.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Restorecon maintaining path file context (user service)
+Documentation=man:restorecond(8)
+ConditionPathExists=/etc/selinux/restorecond_user.conf
+ConditionSecurity=selinux
+
+[Service]
+Type=dbus
+BusName=org.selinux.Restorecond
+ExecStart=/usr/sbin/restorecond -u
-- 
2.26.0


  reply	other threads:[~2020-04-13 16:24 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-13 16:24 [PATCH 1/3] restorecond: migrate to GDbus API provided by glib-gio Nicolas Iooss
2020-04-13 16:24 ` Nicolas Iooss [this message]
2020-04-13 16:24 ` [PATCH 3/3] restorecond/user: handle SIGTERM properly Nicolas Iooss
2020-04-27 20:58   ` Petr Lautrbach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200413162413.1161803-2-nicolas.iooss@m4x.org \
    --to=nicolas.iooss@m4x.org \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.