[systemd-devel] [PATCH] Smack enabled systems need /dev special devices correctly labeled

[Kok, Auke-jan H]

On Mon, Oct 14, 2013 at 3:54 PM, Kay Sievers <kay at vrfy.org> wrote:
> On Mon, Oct 14, 2013 at 11:58 PM, Michael Demeter
> <michael.demeter at intel.com> wrote:
>
>> +KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*",
>> +GROUP="dialout", SECLABEL{smack}="*"
>
> The SECLABEL{} instruction in a separate line? What is that supposed
> to do? Have you tested any of this?

looks like the patch got munged in the process here (wrapped).

> Also, I'm not convinced that this belongs into the upstream repo. This
> seems like a very specific policy, similar to the selinux policy,
> which does not necessarily belong into systemd. Where is the policy
> defined for the apps and other stuff, isn't that the better place?

We had a discussion about this in the office here, because I was
hesitant about merging this upstream at first as well.

However, the rules above (or, at least what they intend to do) are
useful irregardless of whether you actually have created a Smack
policy or not. Creating a Smack policy can be complex or simple, but
there are a few basic things that should be tweaked even without any
existing policy in place, hence, it makes sense to merge this
upstream. After all, no matter the policy, these rules here are going
to be needed.

In short, setting '*' here as label is useful for all implementations
of Smack, policy present or not.

This basically boils down to the built-in set of rules that Smack has
in the kernel - without these rules basic operation will stop working
once you create a Smack policy. We want to make it easy for Smack
users to create their Smack policy without having to hunt down all
sorts of really low level Smack effects, and this is part of that.

Cheers,

Auke