| Message ID | 20191211133201.2353261-1-dac.override@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | mcstrans: start early and stop late | expand |
diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service index 09529432..08a41585 100644 --- a/mcstrans/src/mcstrans.service +++ b/mcstrans/src/mcstrans.service @@ -2,6 +2,8 @@ Description=Translates SELinux MCS/MLS labels to human readable form Documentation=man:mcstransd(8) ConditionSecurity=selinux +DefaultDependencies=no +Before=sysinit.target [Service] ExecStart=/sbin/mcstransd -f
It stopped too early, exposing a bug in sudo selinux_restore_tty(): SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow" avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0 If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP Signed-off-by: Dominick Grift <dac.override@gmail.com> --- mcstrans/src/mcstrans.service | 2 ++ 1 file changed, 2 insertions(+)