Michael Demeter Staff Security Engineer Open Source Technology Center - SSG Intel Corporation
On Oct 14, 2013, at 4:10 PM, Kay Sievers <[email protected]> wrote: > On Tue, Oct 15, 2013 at 12:59 AM, Michael Demeter > <[email protected]> wrote: >> Yes is is very specific to Smack. > > Sure. > >> Yes this has been tested here. > > It looks to me like *everything* will have that label now. This is an > unconditional rule. Yes. Without it nothing can use the /dev devices except systemd > >> It is not included as a policy file when the image is built if Smack is not >> enabled.. So will not affect anyone not using smack. > > That's not the point, the point is is if *belongs* into the systemd > repo, not if it's *enabled* by default or not. From what I see, it's > nothing really we should ship upstream. If Smack is enabled in systemd it starts very early and all of the special devices need to be labeled properly for correct operation > > Also, it should not repeat the primary permissions settings from the > default rules, that is just not right. This was done at Auke's request since the rule is adding the SECLABEL for debugability to have the original rule present was desirable. > > Kay
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
