Run with a custom SMACK domain (label).

Allows the systemd --system process to change its current
SMACK label to a predefined custom label (usually "system")
at boot time.

This is needed to have a few system-generated folders and
sockets automatically be created with the right SMACK
label. Without that, processes either cannot communicate with
systemd or systemd fails to perform some actions.

2 files changed, 14 insertions, 0 deletions

diff --git a/configure.ac b/configure.ac
index 4f26092e91..00ee9bb92d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -524,6 +524,12 @@ else
         fi
 fi
 
+AC_ARG_WITH(smack-run-label,
+AS_HELP_STRING([--with-smack-run-label=STRING],
+        [run systemd --system with a specific SMACK label]),
+        [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run with a smack label])],
+        [])
+
 if test "x${have_smack}" = xyes ; then
         AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
 fi
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index 1434dea7c1..611bfdb2df 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -36,6 +36,7 @@
 #include "macro.h"
 #include "smack-setup.h"
 #include "util.h"
+#include "fileio.h"
 #include "log.h"
 #include "label.h"
 
@@ -138,6 +139,13 @@ int smack_setup(void) {
                 return 0;
         }
 
+#ifdef SMACK_RUN_LABEL
+        r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL);
+        if (r)
+                log_warning("Failed to set SMACK label \"%s\" on self: %s",
+                            SMACK_RUN_LABEL, strerror(-r));
+#endif
+
         r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
         switch(r) {
         case -ENOENT: