> -----Original Message----- > From: Lennart Poettering [mailto:[email protected]] > Sent: Tuesday, October 30, 2012 2:56 PM > To: Kok, Auke-jan H > Cc: Schaufler, Casey; [email protected] > Subject: Re: [PATCH] SMACK: Add configuration options. (v3) > > On Mon, 29.10.12 20:17, Kok, Auke-jan H ([email protected]) > wrote: > > > > I also merged the three items in the man page into one, so that > > > people are hopefully less annoyed about "OMG i am not running my > > > stuff with SMACK OMG why is all this stuff in my systemd OMG > systemd > > > is bloated OMG". After all people only complain about stuff that > > > appears big even if it is rather trivial in code. > > > > Did you copy the section of the commit message here that states that > > this doesn't add any libraries and just uses fsetxattr()? This may > > help to deter those thoughts... ;^) > > I left the commit message intact. > > > > hack that up for SMACK? is there a nice way to detect whether SMACK > > > is in the kernel and enabled? > > > > yes, you can detect it by reading /proc/filesystems and checking for > > "smackfs", and if mounted, that it's enabled. > > Hmm, I think it's a good idea to mount all API VFS that are around, > regardless whether the subsystem they are used for is actually really > enabled. Isn't there a nicer way how to detect whether a SMACK policy > is actually loaded?
Unlike some other security systems, Smack does not do Bad Things when there is no "policy" loaded. The out-of-the-box behavior, with no configuration, actually is rational in some situations. > > > bootchart first though, grrr ;^) > > Haven*t forgotten that, will look into it soon. Promised! > > Lennart > > -- > Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
