On Tue, Oct 15, 2013 at 1:21 AM, Michael Demeter
<[email protected]> wrote:
> It looks to me like *everything* will have that label now. This is an
> unconditional rule.
>
>
> Yes. Without it nothing can use the /dev devices except systemd
Again and again:
This will apply the label to ttys:
SUBSYSTEM=="tty", SECLABEL{smack}="*"
This will pointlessly match on ttys, and apply the label to a*all*
devices on the system:
SUBSYSTEM=="tty",
SECLABEL{smack}="*"
This is all wrong, please *really* test your stuff before submitting!
> It is not included as a policy file when the image is built if Smack is not
> enabled.. So will not affect anyone not using smack.
>
> That's not the point, the point is is if *belongs* into the systemd
> repo, not if it's *enabled* by default or not. From what I see, it's
>
> nothing really we should ship upstream.
>
> If Smack is enabled in systemd it starts very early and all of the special
> devices need to be labeled properly for correct operation
>
> Also, it should not repeat the primary permissions settings from the
> default rules, that is just not right.
>
> This was done at Auke's request since the rule is adding the SECLABEL
> for debugability to have the original rule present was desirable.
Again, I don't need technical details here. In general is not the goal
of systemd to ship a half (regarding the device nodes) configured
smack system, or carry out product specific policies.
Where does all the other needed policy live? You need to convince us
why such a policy should live in an upstream systemd repo, I'm really
not.
Kay
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
