[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Kok, Auke-jan H
auke-jan.h.kok at intel.com
Tue Nov 12 09:35:29 PST 2013
On Nov 12, 2013 6:16 AM, "Karel Zak" <kzak at redhat.com> wrote:
>
> On Fri, Nov 01, 2013 at 09:19:27AM -0700, Kok, Auke-jan H wrote:
> > On Fri, Nov 1, 2013 at 12:57 AM, Karel Zak <kzak at redhat.com> wrote:
> > > On Thu, Oct 31, 2013 at 01:20:18PM -0700, Kok, Auke-jan H wrote:
> > >> > BTW, for SELinux we remove selinux specific mount options in
> > >> > userspace (in mount(8)) if the kernel does not support selinux.
> > >> >
> > >> > It help us to make command line or fstab setting independent on
the
> > >> > current kernel features.
> > >> >
> > >> > Maybe we can use the same for SMACK, is there any way how to
> > >> > determine that the system uses SMACK? (/proc/<something> or
so...).
> > >> > -- for selinux we check for /sys/fs/selinux or /selinux.
> > >>
> > >> Ohh yes that would be so nice.
> > >>
> > >> You've got your choice for detecting smack, but I like
> > >> stat(/sys/fs/smackfs) == 0 the best so far. You can parse
> > >> /proc/filesystems for smackfs too, but that's obviously more complex.
> > >> This method works with 3.9 and above, as that's when we made sysfs
> > >> hold the mount point for smackfs.
> > >>
> > >> I assume we're talking about this code here:
> > >>
> > >>
https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181
> > >
> > > Yes, the "se_rem" code (with SELinux is it tricky, because old
> > > kernels don't support selinux options remount, options duplication is
> > > problem etc.. I guess that for SMACK it will be less complex :-).
> > >
> > > Do you have somewhere list of the smack mount options? I'll prepare
> > > the patch.
> >
> > Yes, the authoritative documentation is the code:
> >
> >
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smack.h#n143
>
>
> OK, implemented:
>
https://github.com/karelzak/util-linux/commit/b8095d25bae0588dfce8a62169f6db5496cf45c5
>
> You have to compile util-linux with --with-smack.
>
> It's trivial change, so I can backport it to the next stable release
> v2.24.1 (at the end of this year). OK?
Awesome - looks good (with the typo fix) and we'll get this tested.
Thanks again!
Auke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131112/7066a0fb/attachment.html>
More information about the systemd-devel
mailing list