[systemd-devel] Patch for Smack labelling support in udev
Kay Sievers
kay at vrfy.org
Mon Oct 7 20:12:05 PDT 2013
On Tue, Oct 8, 2013 at 2:54 AM, Schaufler, Casey
<casey.schaufler at intel.com> wrote:
>> http://cgit.freedesktop.org/systemd/systemd/commit/?id=c26547d6127333
>> 71494330e26c7d3604a5dba3d9
>>
>> Please check if that works for you.
>
> It's OK for devices. It won't work for files in general, as Smack
> uses multiple attributes in certain cases.
Right, the udev directive applies to kernel device nodes only, it
can't be used for any plain file.
> It won't work for any
> future LSM that uses multiple SECLABELS on a device.
The code supports lists, but there will be explicit code in udev
needed for any "future LSM" anyway, so this sounds fine, I guess.
> Yes, I have
> been requested to support multiple Smack labels on a file in
> the past. There are security semantics that could make sense.
Sounds fine. We can catch up whenever needed.
For now the udev directive matches the model we do for sockets, where
the actual xattr is hidden; that's why we wanted it for udev in a
similar fashion:
http://cgit.freedesktop.org/systemd/systemd/tree/src/core/socket.c#n799
Kay
More information about the systemd-devel
mailing list