summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSangjung Woo <sangjung.woo@samsung.com>2015-09-10 21:52:39 +0900
committerSangjung Woo <sangjung.woo@samsung.com>2015-09-10 21:52:39 +0900
commit1fab0cbafcb67cff912d0e45de9677135550f924 (patch)
treec46bdad54e89e59ae0d7b33decb3e3db8f970303
parentf33be3119806f96898dda6ade492fbdcdf8f79b8 (diff)
smack: label /etc/mtab as "_" when '--with-smack-run-label' is enabled.
/etc/mtab should be labeled as "_", even though systemd has its own smack label using '--with-smack-run-label' configuration. This is mainly because all processes could read that file and the origin of this file (i.e. /proc/mounts) is labeled as "_". This labels /etc/mtab as "_" when '--with-smack-run-label' is enabled.
-rw-r--r--configure.ac7
-rw-r--r--tmpfiles.d/etc.conf.m43
2 files changed, 9 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac
index 2024939ad0..aad6782e08 100644
--- a/configure.ac
+++ b/configure.ac
@@ -657,12 +657,17 @@ if test "x${have_smack}" = xauto; then
have_smack=yes
fi
+have_smack_run_label=no
AC_ARG_WITH(smack-run-label,
AS_HELP_STRING([--with-smack-run-label=STRING],
[run systemd --system itself with a specific SMACK label]),
- [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label])],
+ [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label]) have_smack_run_label=yes],
[])
+if test "x${have_smack_run_label}" = xyes; then
+ M4_DEFINES="$M4_DEFINES -DHAVE_SMACK_RUN_LABEL"
+fi
+
AC_ARG_WITH(smack-default-process-label,
AS_HELP_STRING([--with-smack-default-process-label=STRING],
[default SMACK label for executed processes]),
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index e74b02687f..ef7b9b9541 100644
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
@@ -10,6 +10,9 @@
L /etc/os-release - - - - ../usr/lib/os-release
L /etc/localtime - - - - ../usr/share/zoneinfo/UTC
L+ /etc/mtab - - - - ../proc/self/mounts
+m4_ifdef(`HAVE_SMACK_RUN_LABEL',
+t /etc/mtab - - - - security.SMACK64=_
+)m4_dnl
m4_ifdef(`ENABLE_RESOLVED',
L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf
)m4_dnl