@@ -50,6 +50,8 @@ install: all
install -m 644 org.selinux.Restorecond.service $(DESTDIR)$(DBUSSERVICEDIR)/org.selinux.Restorecond.service
-mkdir -p $(DESTDIR)$(SYSTEMDDIR)/system
install -m 644 restorecond.service $(DESTDIR)$(SYSTEMDDIR)/system/
+ -mkdir -p $(DESTDIR)$(SYSTEMDDIR)/user
+ install -m 644 restorecond-user.service $(DESTDIR)$(SYSTEMDDIR)/user/
relabel: install
/sbin/restorecon $(DESTDIR)$(SBINDIR)/restorecond
@@ -1,3 +1,4 @@
[D-BUS Service]
Name=org.selinux.Restorecond
Exec=/usr/sbin/restorecond -u
+SystemdService=restorecond-user.service
new file mode 100644
@@ -0,0 +1,10 @@
+[Unit]
+Description=Restorecon maintaining path file context (user service)
+Documentation=man:restorecond(8)
+ConditionPathExists=/etc/selinux/restorecond_user.conf
+ConditionSecurity=selinux
+
+[Service]
+Type=dbus
+BusName=org.selinux.Restorecond
+ExecStart=/usr/sbin/restorecond -u
When running restorecond in user sessions using D-Bus activation, restorecond's process is spawned in the CGroup of the D-Bus daemon: $ systemctl --user status [...] CGroup: /user.slice/user-1000.slice/user@1000.service ├─init.scope │ ├─1206 /usr/lib/systemd/systemd --user │ └─1208 (sd-pam) └─dbus.service ├─1628 /usr/bin/dbus-daemon --session --address=systemd: └─4570 /usr/sbin/restorecond -u In order to separate it, introduce a systemd unit for restorecond-started-as-user. After this patch: CGroup: /user.slice/user-1000.slice/user@1000.service ├─restorecond-user.service │ └─2871 /usr/sbin/restorecond -u ├─init.scope │ ├─481 /usr/lib/systemd/systemd --user │ └─485 (sd-pam) └─dbus.service └─2868 /usr/bin/dbus-daemon --session --address=systemd: Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> --- restorecond/Makefile | 2 ++ restorecond/org.selinux.Restorecond.service | 1 + restorecond/restorecond-user.service | 10 ++++++++++ 3 files changed, 13 insertions(+) create mode 100644 restorecond/restorecond-user.service