[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.

Kok, Auke-jan H auke-jan.h.kok at intel.com
Mon Oct 28 20:59:36 CET 2013


On Mon, Oct 28, 2013 at 8:58 AM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Mon, 28.10.13 19:44, WaLyong Cho (walyong.cho at samsung.com) wrote:
>
>> At the same reason of /run and /dev/shm, when systemd is running with
>> SMACK, countless tasks are failed by missed privilege.
>> To avoid, /tmp is assigned '*' label.
>
> Won't this break if people compile systemd with SMACK enabled but
> run a kernel that has it disabled?
>
> We had a similar problem for the other mounts like /run, where we found
> a somewhat nice solution, but I am not sure how we can make the same
> work here...

Our posts intersected, badly. Yes, as I said in my mail, this sadly
does a bad job for those folks running with smack enabled in systemd
but with it disabled in the kernel.

For Tizen, we're thinking of just keeping this patch out of tree (and
it will just be a one-liner).

We could do a ConditionSecurity=Smack, or something like that (ottomh)
but we'd get duplicate tmp mounts, which is bad due to the way we name
mount units. ick.

Auke


More information about the systemd-devel mailing list