On Tue, Oct 1, 2013 at 4:40 PM, Lennart Poettering <[email protected]> wrote: > On Tue, 01.10.13 16:11, Auke Kok ([email protected]) wrote: > >> Once system itself is running in a security domain for SMACK, >> it will fail to start countless tasks due to missing privileges >> for mounted and created directory structures. For /run and shm >> specifically, we grant all tasks access. > > Hmm, I am not convinced this patch is really desirable. So far we tried > to make sure that a systemd that is compiled with selinux/smack/ima > support works on kernels that lack it and vice versa. However, if I am > not mistaken this patch will break this, as you set MNT_FATAL for the > mounts but unconditionally add smackfsroot=* to the mount options -- > which if I am not mistaken will cause the mount to fail on kernels that > lack SMACK, right?
thanks for replying - I was struggling to figure out if we really want to do that or not. > Something that might work is simply dropping the MNT_FATAL from the > HAVE_SMACK lines. That way, it will be attempted to mount things with > the specified parameters, and if that fails it will be retried > immediately with the following line that lacks the smackfsdef= param? > The mounting code is smart enough to detect if /run is mounted and will > not actually try to mount things twice if something is found to be > mounted there already... I like that, that's totally reasonable. Will respin. Auke _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
