[systemd-devel] Patch for Smack labelling support in udev

Schaufler, Casey casey.schaufler at intel.com
Mon Oct 7 17:54:48 PDT 2013


> -----Original Message-----
> From: Kay Sievers [mailto:kay at vrfy.org]
> Sent: Monday, October 07, 2013 5:34 PM
> To: Kok, Auke-jan H
> Cc: Reshetova, Elena; Schaufler, Casey; systemd-
> devel at lists.freedesktop.org; walyong.cho at samsung.com; Ware, Ryan R
> Subject: Re: [systemd-devel] Patch for Smack labelling support in udev
> 
> On Thu, Sep 12, 2013 at 10:13 PM, Kok, Auke-jan H <auke-
> jan.h.kok at intel.com> wrote:
> > On Thu, Sep 12, 2013 at 10:23 AM, Kay Sievers <kay at vrfy.org> wrote:
> >> On Fri, Aug 9, 2013 at 8:56 PM, Kok, Auke-jan H
> >> <auke-jan.h.kok at intel.com> wrote:
> >>> On Wed, Jul 24, 2013 at 3:15 AM, Reshetova, Elena
> <elena.reshetova at intel.com> wrote:
> >>
> >>>> For example, I can set a couple of smack-related xattrs in one go
> >>>> like XATTR{security.SMACK64}="*",
> XATTR{security.SMACK64EXEC}="*".
> >>>> Doesn't make sense from smack point of view (only smack64 is really
> >>>> meaningful on device nodes), but proves that functionality works.
> >>>
> >>> right, but we could be setting other non-SMACK xattrs now all in one
> >>> go - for example, SELINUX ones ("security.selinux").
> >>
> >> Yeah, *looks* powerful, but also scary. :)
> 
> Udev now supports:
>   SECLABEL{smack}="name"
> 
> http://cgit.freedesktop.org/systemd/systemd/commit/?id=c26547d6127333
> 71494330e26c7d3604a5dba3d9
> 
> Please check if that works for you.

It's OK for devices. It won't work for files in general, as Smack
uses multiple attributes in certain cases. It won't work for any
future LSM that uses multiple SECLABELS on a device. Yes, I have
been requested to support multiple Smack labels on a file in
the past. There are security semantics that could make sense.


> Thanks,
> Kay


More information about the systemd-devel mailing list