Make bootupd_t permissive #2444
Conversation
The updated package does not use a service unit nor a socket one to be started by systemd. Related: coreos/bootupd#663
zpytela
force-pushed
the
bootpd-permissive
branch
from
b4857ab to
737350c
Compare
|
coreos/bootupd#663 is what dropped the use of systemd in the bootupd package. |
|
I'm working on coreos/bootupd#790 and we will need either this PR or more rules. |
|
Yes just to reiterate I don't think SELinux confinement for bootupd itself is providing much value now. Back when it was socket activated, it made some sense because while we restricted to root access, we don't necessarily want all code that happens to run as uid 0 to be able to initiate bootloader changes. But because there's no socket there's no "privilege changes" going on; bootupd is already pretty careful to only be touching things that it should be touching and so we're left only with "accidental damage" protection from the policy, but that same policy is just cramping development. |
Yep. This should merge (I assume since @zpytela opened the PR). Just for history/context, we talked with @zpytela and the need (compliance) for policies for things only apply if they have systemd services.. even if they aren't daemons. Since coreos/bootupd#663 dropped the use of those then we should be able to drop the policy for it (unless we add back something similar in the future). |
|
Should we remove the bootupd module because bootupd is not a service anymore and we do not need the module? |
Yes. My understanding is that this PR was an initial step in that direction. @zpytela should we merge this and open a new PR for dropping the module completely? |
|
As long as there is a service, there needs to be SELinux support for it. |
The updated package does not use a service unit nor a socket to be started by systemd.