[systemd-devel] [PATCH 1/2] Mount /run, /dev/shm usable to tasks when using SMACK.

Kok, Auke-jan H auke-jan.h.kok at intel.com
Wed Oct 2 09:54:27 PDT 2013


On Tue, Oct 1, 2013 at 4:40 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Tue, 01.10.13 16:11, Auke Kok (auke-jan.h.kok at intel.com) wrote:
>
>> Once system itself is running in a security domain for SMACK,
>> it will fail to start countless tasks due to missing privileges
>> for mounted and created directory structures. For /run and shm
>> specifically, we grant all tasks access.
>
> Hmm, I am not convinced this patch is really desirable. So far we tried
> to make sure that a systemd that is compiled with selinux/smack/ima
> support works on kernels that lack it and vice versa. However, if I am
> not mistaken this patch will break this, as you set MNT_FATAL for the
> mounts but unconditionally add smackfsroot=* to the mount options --
> which if I am not mistaken will cause the mount to fail on kernels that
> lack SMACK, right?

thanks for replying - I was struggling to figure out if we really want to do
that or not.

> Something that might work is simply dropping the MNT_FATAL from the
> HAVE_SMACK lines. That way, it will be attempted to mount things with
> the specified parameters, and if that fails it will be retried
> immediately with the following line that lacks the smackfsdef= param?
> The mounting code is smart enough to detect if /run is mounted and will
> not actually try to mount things twice if something is found to be
> mounted there already...

I like that, that's totally reasonable. Will respin.

Auke


More information about the systemd-devel mailing list