Skip to content

Commit

Permalink
systemd-logind remove all IPC objects owned by a user on a logout. Th…
Browse files Browse the repository at this point in the history 
…is covers also SysV memory. This change allows to destroy unpriviledged user SysV shared memory segments.
  • Loading branch information
@mgrepl
mgrepl committed Nov 11, 2015
1 parent 5dc60e9 commit 7516138
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/system/systemd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,7 @@ logging_send_syslog_msg(systemd_logind_t)
udev_read_db(systemd_logind_t)
udev_manage_rules_files(systemd_logind_t)

userdom_destroy_unpriv_user_shared_mem(systemd_logind_t)
userdom_read_all_users_state(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
userdom_manage_tmp_role(system_r, systemd_logind_t)
Expand Down

3 comments on commit 7516138

@mgrepl
Copy link
Contributor Author

@mgrepl mgrepl commented on 7516138 Nov 13, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First we need to get pam_selinux+systemd working at all (see upstream communication about SELinux code issues). Then we can think about your suggestions.

Thank you.

@mgrepl
Copy link
Contributor Author

@mgrepl mgrepl commented on 7516138 Nov 13, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

http://marc.info/?l=selinux&m=144707899910491&w=2

@mgrepl
Copy link
Contributor Author

@mgrepl mgrepl commented on 7516138 Nov 13, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. There are some policy issues with confined init_t on which we are working. Good idea with a permissive domain ;-).

Please sign in to comment.