diff options
author | Sangjung Woo <sangjung.woo@samsung.com> | 2015-09-10 21:52:39 +0900 |
---|---|---|
committer | Sangjung Woo <sangjung.woo@samsung.com> | 2015-09-10 21:52:39 +0900 |
commit | 1fab0cbafcb67cff912d0e45de9677135550f924 (patch) | |
tree | c46bdad54e89e59ae0d7b33decb3e3db8f970303 | |
parent | f33be3119806f96898dda6ade492fbdcdf8f79b8 (diff) |
smack: label /etc/mtab as "_" when '--with-smack-run-label' is enabled.
/etc/mtab should be labeled as "_", even though systemd has its own
smack label using '--with-smack-run-label' configuration. This is mainly
because all processes could read that file and the origin of this file
(i.e. /proc/mounts) is labeled as "_". This labels /etc/mtab as "_" when
'--with-smack-run-label' is enabled.
-rw-r--r-- | configure.ac | 7 | ||||
-rw-r--r-- | tmpfiles.d/etc.conf.m4 | 3 |
2 files changed, 9 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac index 2024939ad0..aad6782e08 100644 --- a/configure.ac +++ b/configure.ac @@ -657,12 +657,17 @@ if test "x${have_smack}" = xauto; then have_smack=yes fi +have_smack_run_label=no AC_ARG_WITH(smack-run-label, AS_HELP_STRING([--with-smack-run-label=STRING], [run systemd --system itself with a specific SMACK label]), - [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label])], + [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label]) have_smack_run_label=yes], []) +if test "x${have_smack_run_label}" = xyes; then + M4_DEFINES="$M4_DEFINES -DHAVE_SMACK_RUN_LABEL" +fi + AC_ARG_WITH(smack-default-process-label, AS_HELP_STRING([--with-smack-default-process-label=STRING], [default SMACK label for executed processes]), diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4 index e74b02687f..ef7b9b9541 100644 --- a/tmpfiles.d/etc.conf.m4 +++ b/tmpfiles.d/etc.conf.m4 @@ -10,6 +10,9 @@ L /etc/os-release - - - - ../usr/lib/os-release L /etc/localtime - - - - ../usr/share/zoneinfo/UTC L+ /etc/mtab - - - - ../proc/self/mounts +m4_ifdef(`HAVE_SMACK_RUN_LABEL', +t /etc/mtab - - - - security.SMACK64=_ +)m4_dnl m4_ifdef(`ENABLE_RESOLVED', L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf )m4_dnl |