[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Karel Zak
kzak at redhat.com
Thu Oct 31 20:00:33 CET 2013
On Tue, Oct 29, 2013 at 01:27:07PM +0100, Lennart Poettering wrote:
> On Tue, 29.10.13 16:02, WaLyong Cho (walyong.cho at samsung.com) wrote:
>
> > >> Hmm, here's an idea: there has been a long standig feature request to
> > >> add a configurable boolean to mount unit files that controls
> > >> /bin/mount's "-s" switch. Let's say we call it
> > >> "SloppyOptions=yes/no", or so. Then, we could set this for this unit
> > >> file and apply the rest of the patch and things should work, and where
> > >> they don't we can easily reassign to the kernel to respect the "-s" flag
> > >> properly.
> > >>
> > >> Doing a patch that allows "-s" to be controlled should be fairly easy,
> > >> would be happy to merge a patch for that!
> > > ahhh I hadn't even seen -s in /bin/mount yet, so I can see this
> > > helping out a lot.
> > >
> > > I'd be okay with a solution like that, it would certainly simplify
> > > things a lot, but we need to be careful not to overload mount options
> > > with all sorts of nonstandard options - it will make problems harder
> > > to debug and for some of these security enabled systems we will most
> > > likely want to actually _not_ use -s. After all, we want to make sure
> > > we're actually booting with properly setup Smack options e.g. a typo
> > > in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate).
> > >
> > > Auke
> > >
> > I am not sure we can use the -s option. First I tried that in my fedora
> > machine.
> >
> > # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test
BTW, for SELinux we remove selinux specific mount options in
userspace (in mount(8)) if the kernel does not support selinux.
It help us to make command line or fstab setting independent on the
current kernel features.
Maybe we can use the same for SMACK, is there any way how to
determine that the system uses SMACK? (/proc/<something> or so...).
-- for selinux we check for /sys/fs/selinux or /selinux.
It would be easer than play nasty games with -s.
Karel
--
Karel Zak <kzak at redhat.com>
http://karelzak.blogspot.com
More information about the systemd-devel
mailing list