2 files changed, 17 insertions, 2 deletions

diff --git a/configure.ac b/configure.ac
index 8b1e275d27..88b52c45fe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -673,8 +673,14 @@ fi
 
 AC_ARG_WITH(smack-run-label,
 AS_HELP_STRING([--with-smack-run-label=STRING],
-        [run systemd --system with a specific SMACK label]),
-        [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run with a smack label])],
+        [run systemd --system itself with a specific SMACK label]),
+        [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label])],
+        [])
+
+AC_ARG_WITH(smack-default-process-label,
+AS_HELP_STRING([--with-smack-default-process-label=STRING],
+        [default SMACK label for executed processes]),
+        [AC_DEFINE_UNQUOTED(SMACK_DEFAULT_PROCESS_LABEL, ["$withval"], [Default SMACK label for executed processes])],
         [])
 
 if test "x${have_smack}" = xyes ; then
diff --git a/src/core/execute.c b/src/core/execute.c
index 94cc101738..c92db51330 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1717,6 +1717,15 @@ static int exec_child(
                                 return r;
                         }
                 }
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+                else {
+                        r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+                }
+#endif
 #endif
 
                 if (context->user) {