[systemd-devel] [PATCH] Smack enabled systems need /dev special devices correctly labeled
Michael Demeter
michael.demeter at intel.com
Mon Oct 14 16:21:09 PDT 2013
Michael Demeter
Staff Security Engineer
Open Source Technology Center - SSG
Intel Corporation
On Oct 14, 2013, at 4:10 PM, Kay Sievers <kay at vrfy.org> wrote:
> On Tue, Oct 15, 2013 at 12:59 AM, Michael Demeter
> <michael.demeter at intel.com> wrote:
>> Yes is is very specific to Smack.
>
> Sure.
>
>> Yes this has been tested here.
>
> It looks to me like *everything* will have that label now. This is an
> unconditional rule.
Yes. Without it nothing can use the /dev devices except systemd
>
>> It is not included as a policy file when the image is built if Smack is not
>> enabled.. So will not affect anyone not using smack.
>
> That's not the point, the point is is if *belongs* into the systemd
> repo, not if it's *enabled* by default or not. From what I see, it's
> nothing really we should ship upstream.
If Smack is enabled in systemd it starts very early and all of the special
devices need to be labeled properly for correct operation
>
> Also, it should not repeat the primary permissions settings from the
> default rules, that is just not right.
This was done at Auke's request since the rule is adding the SECLABEL
for debugability to have the original rule present was desirable.
>
> Kay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131014/30120ea6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8497 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131014/30120ea6/attachment-0001.bin>
More information about the systemd-devel
mailing list