[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.

Kok, Auke-jan H auke-jan.h.kok at intel.com
Tue Oct 29 19:39:49 CET 2013


On Tue, Oct 29, 2013 at 12:02 AM, WaLyong Cho <walyong.cho at samsung.com> wrote:
> How about add specific options for smack? According to
> http://schaufler-ca.com/description_from_the_linux_source_tree
>
> Smack supports some mount options:
>
>     smackfsdef=label: specifies the label to give files that lack
>     the Smack label extended attribute.
>
>     smackfsroot=label: specifies the label to assign the root of the
>     file system if it lacks the Smack extended attribute.
>
>     smackfshat=label: specifies a label that must have read access to
>     all labels set on the filesystem. Not yet enforced.
>
>     smackfsfloor=label: specifies a label to which all labels set on the
>     filesystem must have read access. Not yet enforced.
>
> If we support 'SmackFsRoot=label' option and append the 'smackfsroot' option
> after checking the smack by test_security("smack"), then I think we can
> solve most problems.(with Auke's worry)

Adding config options for optional mount options that aren't even
standard.... sorry, that just sounds like a terrible idea.

Let's see why the -s option in mount isn't working. For Tizen, I'd
rather see a ConditionSecurity=!smack / ConditionSecurity=smack pair
of complementary unit files since that is a method that should aready
work and even cover the case where you boot with security=none or even
a kernel with smack disabled. Again a solution I would not recommend
carrying upstream but it solves the problem for Tizen well and would
be a 20-line patch or so.

Cheers,

Auke


More information about the systemd-devel mailing list