[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Kok, Auke-jan H
auke-jan.h.kok at intel.com
Mon Oct 28 17:57:58 CET 2013
On Mon, Oct 28, 2013 at 3:44 AM, WaLyong Cho <walyong.cho at samsung.com> wrote:
> At the same reason of /run and /dev/shm, when systemd is running with
> SMACK, countless tasks are failed by missed privilege.
> To avoid, /tmp is assigned '*' label.
We discussed this problem earlier in our office last week as we're
looking in to the same issues here, but the solution in this patch is
very problematic:
> +m4_ifdef(`HAVE_SMACK',
> +`Options=mode=1777,strictatime,smackfsroot=*',
> +`Options=mode=1777,strictatime')
The issue is here - the way you pass these options into tmp.mount make
it so that everyone who has compiled systemd with Smack enabled cause
them to attempt to mount tmpfs with these smack option.
This is a problem since:
1) mount fails if the option smackfsroot=* is "not known", and because
2) if the kernel was not booted with Smack, the option is not known/invalid
and most importantly:
3) everyone who compiles systemd with xattr support will have Smack
enabled too, even if they did not pass --enable-smack to configure.
In short, you'd break everyone's tmp.mount with this patch.
Patches like this need to stay out of the upstream tree, until we
figure out how to automatically retry without these Smack specific
options, or some other more elegant solution that doesn't break
everyone else.
Cheers,
Auke
More information about the systemd-devel
mailing list