> -----Original Message----- > From: Kay Sievers [mailto:[email protected]] > Sent: Monday, October 07, 2013 5:34 PM > To: Kok, Auke-jan H > Cc: Reshetova, Elena; Schaufler, Casey; systemd- > [email protected]; [email protected]; Ware, Ryan R > Subject: Re: [systemd-devel] Patch for Smack labelling support in udev > > On Thu, Sep 12, 2013 at 10:13 PM, Kok, Auke-jan H <auke- > [email protected]> wrote: > > On Thu, Sep 12, 2013 at 10:23 AM, Kay Sievers <[email protected]> wrote: > >> On Fri, Aug 9, 2013 at 8:56 PM, Kok, Auke-jan H > >> <[email protected]> wrote: > >>> On Wed, Jul 24, 2013 at 3:15 AM, Reshetova, Elena > <[email protected]> wrote: > >> > >>>> For example, I can set a couple of smack-related xattrs in one go > >>>> like XATTR{security.SMACK64}="*", > XATTR{security.SMACK64EXEC}="*". > >>>> Doesn't make sense from smack point of view (only smack64 is really > >>>> meaningful on device nodes), but proves that functionality works. > >>> > >>> right, but we could be setting other non-SMACK xattrs now all in one > >>> go - for example, SELINUX ones ("security.selinux"). > >> > >> Yeah, *looks* powerful, but also scary. :) > > Udev now supports: > SECLABEL{smack}="name" > > http://cgit.freedesktop.org/systemd/systemd/commit/?id=c26547d6127333 > 71494330e26c7d3604a5dba3d9 > > Please check if that works for you.
It's OK for devices. It won't work for files in general, as Smack uses multiple attributes in certain cases. It won't work for any future LSM that uses multiple SECLABELS on a device. Yes, I have been requested to support multiple Smack labels on a file in the past. There are security semantics that could make sense. > Thanks, > Kay _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
