[systemd-devel] [PATCH] smack: introduce new SmackLabelExec option
Lennart Poettering
lennart at poettering.net
Mon Nov 10 11:10:29 PST 2014
On Tue, 11.11.14 00:43, WaLyong Cho (walyong.cho at samsung.com) wrote:
> On 11/10/2014 10:26 PM, Lennart Poettering wrote:
> > On Fri, 07.11.14 10:03, Casey Schaufler (casey at schaufler-ca.com) wrote:
> >
> >> Calling it SmackLabel= instead of SmackLabelExec= would be fine as
> >> far as I'm concerned. SmackLabel= is more consistent with SELinuxContext=
> >> and AppArmorProfile=, as you point out.
> >
> > OK!
> >
> > WaLyong, let's name it SmackLabel= then!
>
> I think I had made you to bother. Excuse me, but I'm asking you again.
> And I think introducing new config should be careful.
>
> Hmm, I'm still confusing. We're already using SmackLabel= as socket
> config item. Yeah, it can possible as both exec/socket config. But each
> purposes are different.
> In socket config, this config is used to set SMACK64 of socket file.
> In exec config, this config is used to set child systemd attribute when
> User= config is given.
> And does we have to explain each man page? Or drop from socket package
> and move that to exec page?
> I'm not sure it make sense.
Hmm, OK, so you might actually have a point. And this is because
.socket units may carry ExecStartPre= command lines which are execute
before we start listening to a socket. If we'd just have SmackLabel=
then it would not be clear whether it applies as file system label to
the socket fds, or if it applies as process label to the ExecStartPre=
processes.
Hmm, I guess I am fine with SmackLabelExec= then!
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list