[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Lennart Poettering
lennart at poettering.net
Tue Oct 29 13:27:07 CET 2013
On Tue, 29.10.13 16:02, WaLyong Cho (walyong.cho at samsung.com) wrote:
> >> Hmm, here's an idea: there has been a long standig feature request to
> >> add a configurable boolean to mount unit files that controls
> >> /bin/mount's "-s" switch. Let's say we call it
> >> "SloppyOptions=yes/no", or so. Then, we could set this for this unit
> >> file and apply the rest of the patch and things should work, and where
> >> they don't we can easily reassign to the kernel to respect the "-s" flag
> >> properly.
> >>
> >> Doing a patch that allows "-s" to be controlled should be fairly easy,
> >> would be happy to merge a patch for that!
> > ahhh I hadn't even seen -s in /bin/mount yet, so I can see this
> > helping out a lot.
> >
> > I'd be okay with a solution like that, it would certainly simplify
> > things a lot, but we need to be careful not to overload mount options
> > with all sorts of nonstandard options - it will make problems harder
> > to debug and for some of these security enabled systems we will most
> > likely want to actually _not_ use -s. After all, we want to make sure
> > we're actually booting with properly setup Smack options e.g. a typo
> > in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate).
> >
> > Auke
> >
> I am not sure we can use the -s option. First I tried that in my fedora
> machine.
>
> # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test
> mount: wrong fs type, bad option, bad superblock on tmpfs,
> missing codepage or helper program, or other error
>
> In some cases useful info is found in syslog - try
> dmesg | tail or so.
>
> # dmesg
> [ 752.222803] tmpfs: Bad mount option smackfsroot
Hmm, it appears that libmount/util-linux actually appears to ignore the
sloppy mount option entirely. Adding kzak to CC. Karel, what's going on
here? Does "-s" have any use at all? Can we make it work for us?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list