[systemd-devel] [PATCH 2/2] Run with a custom SMACK domain (label).

Schaufler, Casey casey.schaufler at intel.com
Thu Oct 10 10:32:33 PDT 2013


> -----Original Message-----
> From: Lennart Poettering [mailto:lennart at poettering.net]
> Sent: Thursday, October 10, 2013 9:51 AM
> To: Schaufler, Casey
> Cc: Kok, Auke-jan H; Zbigniew Jędrzejewski-Szmek; systemd-devel
> Subject: Re: [systemd-devel] [PATCH 2/2] Run with a custom SMACK domain
> (label).
> 
> On Tue, 08.10.13 22:29, Schaufler, Casey (casey.schaufler at intel.com) wrote:
> 
> > > On Mon, 07.10.13 10:30, Kok, Auke-jan H (auke-jan.h.kok at intel.com)
> wrote:
> > >
> > > > > Hi,
> > > > > the patches look OK. I dont' have a system with smack support at
> > > > > hand, but I tested them on Fedora, and didn't notice any adverse
> effects.
> > > > > I you've tested them with smack, then they should be applied, imo.
> > > >
> > > > Thanks, I just applied them myself - I just wanted to give folks a
> > > > bit of time to read and test - so thanks for doing so!
> > >
> > > Hmm, the patches as they are merged now try to mount the SMACK
> > > version of /run and /dev/shm also in containers. Will this work?
> >
> > So long as the cgroup filesystem propagates the xattrs to and from the
> > real filesystem it won't be a problem. If the cgroup filesystem is not
> > doing that there will be a problem.
> 
> I can't parse this.

That's because it doesn't make sense.
I had been under the impression that cgroupfs was something
other than what it is. Now that I understand better I see that
this is a nonsensical statement.

Read it as "everything is OK".
 
> > > So far (at least for SELinux) we tried to turn off all security
> > > layers in containers, since the policies are not virtualized.
> >
> > I don't know what you mean by "virtualized" in this context.
> 
> Well, unlike for example the PID namespace stuff where the PIDs are
> virtualized there is no scheme where the SMACK enforcement could be
> virtualized, so that an OS container could install its own SMACK policy, and so
> that SMACK labels from the container are different things even though they
> share the same name with labels from the host. (I mean, I am not saying this
> would be even desirable...)

OK, that 

We've identified how we could do Smack namespaces if we wanted
to. I am pretty sure that we don't want to at this point, and that
we probably won't in the near future.

> 
> Lennart
> 
> --
> Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list