[systemd-devel] [PATCH] SMACK: Add configuration options. (v3)
Lennart Poettering
lennart at poettering.net
Tue Oct 30 16:12:12 PDT 2012
On Tue, 30.10.12 23:04, Schaufler, Casey (casey.schaufler at intel.com) wrote:
> Yup. That was the convention at the time Smack was introduced.
>
> > That should
> > really be fixed. We moved all the other file systems (selinux, cgroups,
> > ...) below /sys,
>
> No one said boo about Smack at the time.
Sorry about that, but I guess we didn't notice it since SMACK is not
available on Fedora...
> > Follow the SELinux scheme please and introduce /sys/fs/smack, and use
> > that as default mount point.
>
> I have been advocating standardization of LSM interfaces
> for some time. The apparmor folks put theirs at
> /sys/kernel/security/apparmor. I would hardly say that
> /sys/fs/smack would be better than /sys/kernel/security/smack.
> I plan to move it when there's a consensus of where LSM
> filesystems should go, or when there's a compelling reason
> to go someplace in particular. I'm afraid that "SELinux does
> in this way" is not an argument *by itself* that goes very
> far with the Smack project.
I think the rule was that if its an fs of its own it should be in
/sys/fs, but if it is implemented based on securityfs then it should of
course appear below /sys/kernel/security.
Given that SMACK and SELinux have their own file systems /sys/fs/smack
and /sys/fs/selinux sounds like the right choice. And AppArmor uses
securityfs, hence /sys/kernel/security/apparmor is their root of the tree.
I hope that makes some sense?
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list