[systemd-devel] [PATCH] Smack enabled systems need /dev special devices correctly labeled
Kay Sievers
kay at vrfy.org
Tue Oct 15 08:58:46 PDT 2013
On Tue, Oct 15, 2013 at 5:50 PM, Demeter, Michael
<michael.demeter at intel.com> wrote:
>> This will pointlessly match on ttys, and apply the label to a*all*
>> devices on the system:
>> SUBSYSTEM=="tty",
>> SECLABEL{smack}="*"
>>
>> This is all wrong, please *really* test your stuff before submitting!
>>
>
> This is not pointlessly matching all ttys. This is exactly how I intended
> this rule to work. If there are separate Smack labels for floor, system and
> user then as soon as the first smack policy is established the user will no
> longer be able to use anything labeled as floor. This rule sets the stage
> correctly when Smack is enabled by allowing all reads and writes which is
> how it should be.
>
> Why do you think this is incorrect behavior?
>
> I am open to suggestions with regards to writing a rule that is better
> suited but it seems this does exactly what is needed for the system to
> operate correctly.
This needs to be in one line, not in two. 2 lines are 2 independent
rules, not related to each other. The 2nd rule will match for all
events on the system. This was obviously never tested before
submission.
Kay
More information about the systemd-devel
mailing list