diff options
author | Auke Kok <auke-jan.h.kok@intel.com> | 2013-09-25 15:49:42 -0700 |
---|---|---|
committer | Auke Kok <auke-jan.h.kok@intel.com> | 2013-10-07 10:23:20 -0700 |
commit | 8b197c3a8a57c3f7c231b39e5660856fd9580c80 (patch) | |
tree | 7d917843342adab5f2002d0cfb730eb18c462419 | |
parent | d407c9402064d8b9d1b12dca6ca1ddb2688e5454 (diff) |
Run with a custom SMACK domain (label).
Allows the systemd --system process to change its current
SMACK label to a predefined custom label (usually "system")
at boot time.
This is needed to have a few system-generated folders and
sockets automatically be created with the right SMACK
label. Without that, processes either cannot communicate with
systemd or systemd fails to perform some actions.
-rw-r--r-- | configure.ac | 6 | ||||
-rw-r--r-- | src/core/smack-setup.c | 8 |
2 files changed, 14 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 4f26092e91..00ee9bb92d 100644 --- a/configure.ac +++ b/configure.ac @@ -524,6 +524,12 @@ else fi fi +AC_ARG_WITH(smack-run-label, +AS_HELP_STRING([--with-smack-run-label=STRING], + [run systemd --system with a specific SMACK label]), + [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run with a smack label])], + []) + if test "x${have_smack}" = xyes ; then AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available]) fi diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c index 1434dea7c1..611bfdb2df 100644 --- a/src/core/smack-setup.c +++ b/src/core/smack-setup.c @@ -36,6 +36,7 @@ #include "macro.h" #include "smack-setup.h" #include "util.h" +#include "fileio.h" #include "log.h" #include "label.h" @@ -138,6 +139,13 @@ int smack_setup(void) { return 0; } +#ifdef SMACK_RUN_LABEL + r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL); + if (r) + log_warning("Failed to set SMACK label \"%s\" on self: %s", + SMACK_RUN_LABEL, strerror(-r)); +#endif + r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); switch(r) { case -ENOENT: |