[systemd-devel] [PATCH] SMACK: Add configuration options. (v3)
Lennart Poettering
lennart at poettering.net
Mon Oct 29 19:38:44 PDT 2012
On Mon, 29.10.12 15:30, Auke Kok (auke-jan.h.kok at intel.com) wrote:
> This adds SMACK label configuration options to socket units.
Merged!
But made a couple of changes on the way: I think the new confi options
should clarify that you configure the security *label* with them, so I
renamed them to "SmackLabel=" and similar.
I also merged the three items in the man page into one, so that people
are hopefully less annoyed about "OMG i am not running my stuff with
SMACK OMG why is all this stuff in my systemd OMG systemd is bloated
OMG". After all people only complain about stuff that appears big even
if it is rather trivial in code.
One more thing though:
I think it would be cool to have support for SMACK in
ConditionVirtualizatin= as well. Currently this can be used to hook in
certain services only if SELinux is used. it would be cool if we'd have
similar support for SMACK too. (And also for IMA...) Any chance you can
hack that up for SMACK? is there a nice way to detect whether SMACK is
in the kernel and enabled?
BTW, what loads the SMACK policy? We currently load the SELinux and IMA
policies right from PID 1 itself, before we invoke anything else. My
guess is that SMACK or AppArmor policies should probably be loaded
similar early, since they should probably be in effect before the first
process is forked off..
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list