[systemd-devel] [PATCH] Smack enabled systems need /dev special devices correctly labeled

[Kay Sievers]

On Tue, Oct 15, 2013 at 1:21 AM, Michael Demeter
<michael.demeter at intel.com> wrote:

> It looks to me like *everything* will have that label now. This is an
> unconditional rule.
>
>
> Yes. Without it nothing can use the /dev devices except systemd

Again and again:

This will apply the label to ttys:
  SUBSYSTEM=="tty", SECLABEL{smack}="*"

This will pointlessly match on ttys, and apply the label to a*all*
devices on the system:
  SUBSYSTEM=="tty",
  SECLABEL{smack}="*"

This is all wrong, please *really* test your stuff before submitting!

> It is not included as a policy file when the image is built if Smack is not
> enabled.. So will not affect anyone not using smack.
>
> That's not the point, the point is is if *belongs* into the systemd
> repo, not if it's *enabled* by default or not. From what I see, it's
>
> nothing really we should ship upstream.
>
> If Smack is enabled in systemd it starts very early and all of the special
> devices need to be labeled properly for correct operation
>
> Also, it should not repeat the primary permissions settings from the
> default rules, that is just not right.
>
> This was done at Auke's request since the rule is adding the SECLABEL
> for debugability to have the original rule present was desirable.

Again, I don't need technical details here. In general is not the goal
of systemd to ship a half (regarding the device nodes) configured
smack system, or carry out product specific policies.

Where does all the other needed policy live? You need to convince us
why such a policy should live in an upstream systemd repo, I'm really
not.

Kay