[systemd-devel] [PATCH] Smack enabled systems need /dev special devices correctly labeled

Demeter, Michael michael.demeter at intel.com
Tue Oct 15 08:50:17 PDT 2013 

On Mon, Oct 14, 2013 at 4:33 PM, Kay Sievers <kay at vrfy.org> wrote:

> On Tue, Oct 15, 2013 at 1:21 AM, Michael Demeter
> <michael.demeter at intel.com> wrote:
>
> > It looks to me like *everything* will have that label now. This is an
> > unconditional rule.
> >
> >
> > Yes. Without it nothing can use the /dev devices except systemd
>
> Again and again:
>
> This will apply the label to ttys:
>   SUBSYSTEM=="tty", SECLABEL{smack}="*"
>

Yes it will do this..


>
> This will pointlessly match on ttys, and apply the label to a*all*
> devices on the system:
>   SUBSYSTEM=="tty",
>   SECLABEL{smack}="*"
>
> This is all wrong, please *really* test your stuff before submitting!
>
>
This is not pointlessly matching all ttys. This is exactly how I intended
this rule to work. If there are separate Smack labels for floor, system and
user then as soon as the first smack policy is established the user will no
longer be able to use anything labeled as floor. This rule sets the stage
correctly when Smack is enabled by allowing all reads and writes which is
how it should be.

Why do you think this is incorrect behavior?

I am open to suggestions with regards to writing a rule that is better
suited but it seems this does exactly what is needed for the system to
operate correctly.


> > It is not included as a policy file when the image is built if Smack is
> not
> > enabled.. So will not affect anyone not using smack.
> >
> > That's not the point, the point is is if *belongs* into the systemd
> > repo, not if it's *enabled* by default or not. From what I see, it's
> >
> > nothing really we should ship upstream.
> >
> > If Smack is enabled in systemd it starts very early and all of the
> special
> > devices need to be labeled properly for correct operation
> >
> > Also, it should not repeat the primary permissions settings from the
> > default rules, that is just not right.
> >
> > This was done at Auke's request since the rule is adding the SECLABEL
> > for debugability to have the original rule present was desirable.
>
> Again, I don't need technical details here. In general is not the goal
> of systemd to ship a half (regarding the device nodes) configured
> smack system, or carry out product specific policies.
>

This is to configure the system so it is useable in the case where Smack is
enabled and Smack policies have been added.


>
> Where does all the other needed policy live? You need to convince us
> why such a policy should live in an upstream systemd repo, I'm really
> not.
>

All other Smack policies live with in each application package.


>
> Kay
>



-- 
Michael Demeter
Sr. Software Engineer
Open Source Technology Center - SSG
Intel Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131015/5038a0ff/attachment-0001.html>

More information about the systemd-devel mailing list