On Mon, 29.10.12 15:30, Auke Kok ([email protected]) wrote: > This adds SMACK label configuration options to socket units.
Merged! But made a couple of changes on the way: I think the new confi options should clarify that you configure the security *label* with them, so I renamed them to "SmackLabel=" and similar. I also merged the three items in the man page into one, so that people are hopefully less annoyed about "OMG i am not running my stuff with SMACK OMG why is all this stuff in my systemd OMG systemd is bloated OMG". After all people only complain about stuff that appears big even if it is rather trivial in code. One more thing though: I think it would be cool to have support for SMACK in ConditionVirtualizatin= as well. Currently this can be used to hook in certain services only if SELinux is used. it would be cool if we'd have similar support for SMACK too. (And also for IMA...) Any chance you can hack that up for SMACK? is there a nice way to detect whether SMACK is in the kernel and enabled? BTW, what loads the SMACK policy? We currently load the SELinux and IMA policies right from PID 1 itself, before we invoke anything else. My guess is that SMACK or AppArmor policies should probably be loaded similar early, since they should probably be in effect before the first process is forked off.. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
