[systemd-devel] [PATCH] Smack enabled systems need /dev special devices correctly labeled

Michael Demeter michael.demeter at intel.com
Mon Oct 14 15:59:45 PDT 2013


Yes is is very specific to Smack.

Yes this has been tested here. 

It is not included as a policy file when the image is built if Smack is not enabled.. So will not affect anyone not using smack.

Michael Demeter
Staff Security Engineer
Open Source Technology Center - SSG
Intel Corporation



On Oct 14, 2013, at 3:54 PM, Kay Sievers <kay at vrfy.org> wrote:

> On Mon, Oct 14, 2013 at 11:58 PM, Michael Demeter
> <michael.demeter at intel.com> wrote:
> 
>> +KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*",
>> +GROUP="dialout", SECLABEL{smack}="*"
> 
> The SECLABEL{} instruction in a separate line? What is that supposed
> to do? Have you tested any of this?
> 
> Also, I'm not convinced that this belongs into the upstream repo. This
> seems like a very specific policy, similar to the selinux policy,
> which does not necessarily belong into systemd. Where is the policy
> defined for the apps and other stuff, isn't that the better place?
> 
> Kay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131014/ae776e9e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8497 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131014/ae776e9e/attachment.bin>


More information about the systemd-devel mailing list