[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Kok, Auke-jan H
auke-jan.h.kok at intel.com
Tue Oct 29 19:39:49 CET 2013
On Tue, Oct 29, 2013 at 12:02 AM, WaLyong Cho <walyong.cho at samsung.com> wrote:
> How about add specific options for smack? According to
> http://schaufler-ca.com/description_from_the_linux_source_tree
>
> Smack supports some mount options:
>
> smackfsdef=label: specifies the label to give files that lack
> the Smack label extended attribute.
>
> smackfsroot=label: specifies the label to assign the root of the
> file system if it lacks the Smack extended attribute.
>
> smackfshat=label: specifies a label that must have read access to
> all labels set on the filesystem. Not yet enforced.
>
> smackfsfloor=label: specifies a label to which all labels set on the
> filesystem must have read access. Not yet enforced.
>
> If we support 'SmackFsRoot=label' option and append the 'smackfsroot' option
> after checking the smack by test_security("smack"), then I think we can
> solve most problems.(with Auke's worry)
Adding config options for optional mount options that aren't even
standard.... sorry, that just sounds like a terrible idea.
Let's see why the -s option in mount isn't working. For Tizen, I'd
rather see a ConditionSecurity=!smack / ConditionSecurity=smack pair
of complementary unit files since that is a method that should aready
work and even cover the case where you boot with security=none or even
a kernel with smack disabled. Again a solution I would not recommend
carrying upstream but it solves the problem for Tizen well and would
be a 20-line patch or so.
Cheers,
Auke
More information about the systemd-devel
mailing list