[systemd-devel] [PATCH] smack: introduce new SmackLabelExec option
WaLyong Cho
walyong.cho at gmail.com
Mon Nov 10 22:24:40 PST 2014
On 11/11/2014 04:10 AM, Lennart Poettering wrote:
> On Tue, 11.11.14 00:43, WaLyong Cho (walyong.cho at samsung.com) wrote:
>
>> On 11/10/2014 10:26 PM, Lennart Poettering wrote:
>>> On Fri, 07.11.14 10:03, Casey Schaufler (casey at schaufler-ca.com) wrote:
>>>
>>>> Calling it SmackLabel= instead of SmackLabelExec= would be fine as
>>>> far as I'm concerned. SmackLabel= is more consistent with SELinuxContext=
>>>> and AppArmorProfile=, as you point out.
>>>
>>> OK!
>>>
>>> WaLyong, let's name it SmackLabel= then!
>>
>> I think I had made you to bother. Excuse me, but I'm asking you again.
>> And I think introducing new config should be careful.
>>
>> Hmm, I'm still confusing. We're already using SmackLabel= as socket
>> config item. Yeah, it can possible as both exec/socket config. But each
>> purposes are different.
>> In socket config, this config is used to set SMACK64 of socket file.
>> In exec config, this config is used to set child systemd attribute when
>> User= config is given.
>> And does we have to explain each man page? Or drop from socket package
>> and move that to exec page?
>
>> I'm not sure it make sense.
>
> Hmm, OK, so you might actually have a point. And this is because
> .socket units may carry ExecStartPre= command lines which are execute
> before we start listening to a socket. If we'd just have SmackLabel=
> then it would not be clear whether it applies as file system label to
> the socket fds, or if it applies as process label to the ExecStartPre=
> processes.
>
> Hmm, I guess I am fine with SmackLabelExec= then!
Hmm, I'd thouth about this again. The name SmackLabelExec= can be shown
as the value will be set to the target processes what will be executed
by child systemd. But acctually the label only be used to access the
executable file. I think just read the SMACK64 of the executable file
and set child systemd itself will reduce our naming pain. But Casey said
it way is sneaky.
How do you think?
WaLyong
>
> Lennart
>
More information about the systemd-devel
mailing list