summaryrefslogtreecommitdiff
path: root/sysctl.d
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2013-11-08 09:42:26 -0800
committerPatrick Ohly <patrick.ohly@intel.com>2016-01-11 11:12:06 +0100
commitae176752f9c91073d234448b28ae95b37b97b719 (patch)
treef679b3c879e7c3e9cad926cf9e1eabfe8a67a5a7 /sysctl.d
parentcf6c8c46fceac83dfb3f2d55fae5220e60841553 (diff)
smack: Handling network
- Set Smack ambient to match run label - Set Smack netlabel host rules Set Smack ambient to match run label ------------------------------------ Set the Smack networking ambient label to match the run label of systemd. System services may expect to communicate with external services over IP. Setting the ambient label assigns that label to IP packets that do not include CIPSO headers. This allows systemd and the services it spawns access to unlabeled IP packets, and hence external services. A system may choose to restrict network access to particular services later in the startup process. This is easily done by resetting the ambient label elsewhere. Set Smack netlabel host rules ----------------------------- If SMACK_RUN_LABEL is defined set all other hosts to be single label hosts at the specified label. Set the loopback address to be a CIPSO host. If any netlabel host rules are defined in /etc/smack/netlabel.d install them into the smackfs netlabel interface. [Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf] [Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] [Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] [Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
Diffstat (limited to 'sysctl.d')
0 files changed, 0 insertions, 0 deletions