On Wed, Sep 4, 2013 at 9:03 AM, Glauco Junquera <[email protected]> wrote: > How the developer can add smack rules?
Through RPM packages is one way. I don't know if other mechanisms exist and that seems > Does he add rules on the rpm's manifest file and then rpm applies the rules? So adding stuff to the manifests adds labels to file system objects, but not rules. There is a policy package that contains most of the rules. Smack access rules can come from packages separately or be part of the large policy file. The rules are just text files in /etc/smack/accesses.d/ that contain lines like "object subject access" (e.g. "foo bar rw"). Any package can install rules through rpm in that way by providing a small file with rules. > For a userspace program creates smack rules it is necessary to write to > smackfs (mounted on /smack) and only process that have CAP_MAC_ADMIN > capability can write to smackfs. Is it correct? yes. the mountpoint will be under /sys/fs/smackfs going forward. > Is yes, how CAP_MAC_ADMIN is granted to rpm? It is executed with elevated privileges, otherwise it won't be able to do anything (i.e. root access). > Is there any other userspace program that runs with this capability? There are a few system services that have that CAP, but adding new rules in smack is not something that should be done by end user applications (that would defeat the purpose of this system - i.e. to secure it). Auke _______________________________________________ General mailing list [email protected] https://lists.tizen.org/listinfo/general
