[systemd-devel] [PATCH 2/2] Run with a custom SMACK domain (label).

Lennart Poettering lennart at poettering.net
Tue Oct 8 15:16:31 PDT 2013


On Mon, 07.10.13 10:30, Kok, Auke-jan H (auke-jan.h.kok at intel.com) wrote:

> > Hi,
> > the patches look OK. I dont' have a system with smack support at hand,
> > but I tested them on Fedora, and didn't notice any adverse effects.
> > I you've tested them with smack, then they should be applied, imo.
> 
> Thanks, I just applied them myself - I just wanted to give folks a bit
> of time to read and test - so thanks for doing so!

Hmm, the patches as they are merged now try to mount the SMACK version of
/run and /dev/shm also in containers. WIll this work?

So far (at least for SELinux) we tried to turn off all security layers
in containers, since the policies are not virtualized. Due to that it
sounds more appropriate not to mount these SMACK versions in a
container. More specifically, I'd like to remove the MNT_IN_CONTAINER
flags from the lines you just added?

Does that make sense to you?

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list