<varname>SystemCallFilter=</varname>, or
<varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden
by them, <command>systemctl show</command> shows the original value of this setting. In case the
- service will be run in a new mount namespace anyway, all file systems are mounted with MS_NOSUID
- flag. Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">
- No New Privileges Flag</ulink>.</para></listitem>
+ service will be run in a new mount namespace anyway and SELinux is disabled, all file systems
+ are mounted with <constant>MS_NOSUID</constant> flag. Also see
+ <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New
+ Privileges Flag</ulink>.</para></listitem>
</varlistentry>
<varlistentry>
.proc_subset = context->proc_subset,
.private_ipc = context->private_ipc || context->ipc_namespace_path,
/* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
- .mount_nosuid = context->no_new_privileges,
+ .mount_nosuid = context->no_new_privileges && !mac_selinux_use(),
};
} else if (!context->dynamic_user && root_dir)
/*
projects / thirdparty / systemd.git / commitdiff
