Update comments for the systemd Type=notify support

[noissue] re: #9272 pulpcore-selinux needs SELinux changes for systemd Type=notify https://pulp.plan.io/issues/9272
pulp · Sep 16, 2021 · 0f403b0 · 0f403b0
1 parent e223c8e
commit 0f403b0
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/pulpcore.te b/pulpcore.te
@@ -105,6 +105,8 @@ allow pulpcore_t pulpcore_server_tmpfs_t:file map;
 # interface calls
 
 # Needed for systemd Type=notify support
+# Needed when /run/systemd/notify is not appropriately labelled (at least on
+# EL7) as kernel_t rather than init_var_run_t
 kernel_dgram_send(pulpcore_server_t)
 
 kernel_read_all_proc(pulpcore_t)
@@ -136,10 +138,14 @@ fs_getattr_xattr_fs(pulpcore_server_t)
 libs_exec_ldconfig(pulpcore_t)
 libs_exec_ldconfig(pulpcore_server_t)
 
-# Needed for systemd Type=notify support
+# Block needed for systemd Type=notify support
 init_write_pid_socket(pulpcore_server_t)
+# This line is used when /run/systemd/notify is appropriately labelled
 allow pulpcore_server_t init_var_run_t:unix_dgram_socket { connect create };
 allow pulpcore_server_t self:unix_dgram_socket { connect create };
+# This line is used when /run/systemd/notify is appropriately labelled
+# Need verification that it is actually needed though. I think I observed
+# it on a test EL7 system after fixing the labelling.
 allow kernel_t init_var_run_t:unix_dgram_socket sendto;
 
 miscfiles_read_generic_certs(pulpcore_t)