On Mon, Oct 14, 2013 at 3:54 PM, Kay Sievers <[email protected]> wrote: > On Mon, Oct 14, 2013 at 11:58 PM, Michael Demeter > <[email protected]> wrote: > >> +KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", >> +GROUP="dialout", SECLABEL{smack}="*" > > The SECLABEL{} instruction in a separate line? What is that supposed > to do? Have you tested any of this?
looks like the patch got munged in the process here (wrapped). > Also, I'm not convinced that this belongs into the upstream repo. This > seems like a very specific policy, similar to the selinux policy, > which does not necessarily belong into systemd. Where is the policy > defined for the apps and other stuff, isn't that the better place? We had a discussion about this in the office here, because I was hesitant about merging this upstream at first as well. However, the rules above (or, at least what they intend to do) are useful irregardless of whether you actually have created a Smack policy or not. Creating a Smack policy can be complex or simple, but there are a few basic things that should be tweaked even without any existing policy in place, hence, it makes sense to merge this upstream. After all, no matter the policy, these rules here are going to be needed. In short, setting '*' here as label is useful for all implementations of Smack, policy present or not. This basically boils down to the built-in set of rules that Smack has in the kernel - without these rules basic operation will stop working once you create a Smack policy. We want to make it easy for Smack users to create their Smack policy without having to hunt down all sorts of really low level Smack effects, and this is part of that. Cheers, Auke _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
